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mobile devices In sync. Whether It's a Windows Mobile 6 device, a BlackBerry or even a Palm Treo, there’s a 
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From the Editor 


O aober, What a wonderful month - one of my favorites, [lere m the North Hast U.S., 
Autumn is now going fttli swings leaves dot the ground, we get very low-humidity days 
and*,, a new of>eratiog system from Apple! Or so we Ye told As 1 write this, nothing 
official has been annoiinc:ed, liowever, wcYe anxiously preparing for the arrival for OS X 
aka leopard. Well have plenty of coverage after its release, Hor now, though, you should 
go find a fireplace and put your feet up and read the remninder of this issue* (Or perl taps, R>r our 
readers in the Soiidiem Hemisphere, get your Ix^ach chair). 

'lYiis month's cover story is all alxtut ssh. It's built in to OS X, so it couldn’t be eiisier to start 
using, and most readers have by now. However, most people use it in the most Irasic fashion: 
gral^bing a remote shell. Did you know how much cise it can dt»? If any single application can be 
cxilled a networking Swiss Army Knife, ssh would l>e il 

Dave Dribin oncx* again leads us down The Road to Code. 11iis mom It, we’rc^ imrtxluced to 
object oriented programming. Of course, it’s all pre.sented in Dave's LTystal clear style. If you’ve 
Ixfen traveling down the Road thus far, this iiujutli's addition will leave you a more powerful 
programmer, and wanting more at the same time! 

Joe Froehlich returns to help clear up more Windows mysteries ftjr the Mac user This time, 
he tackles Windows netw'f>rkmg and browsing. When a Windi)ws machine is networked it gets 
its view of the world very differently llian OS X does. So, for the Mac admins that have had to 
sui>|>t)rl Windows machines, and Samba, and Bckh Camp, etc., and didn't cjuiie understand vviuU 
NellllOS or a master browser are, check f)ut JfX' s guide to Window.s Networking (for the Mac 
user!)* 

Anotlier returning author is Jose Crux 'fhis time, he details the tar archiving program, and 
shows you how to integrate tar direaly into XCode’s IDE. Bnish up on your command-line skiUs, 
learn a new application and become more prixluctive in XCode. 

The MacEiiterprise team brings m tips on integrating your OS X machine with 
ActiveDIrectory, Sometimes, it's nea^ssary* Mor" r>ften than not, it's a snxxnh prtx'ess thanks to 
Apple's continuing efforts on its AciiveDiRxtory pkig-in. However, sometimes you need to probe 
the system a little l>il to determine the values to enter into the plug-in. Ijet Philip Rinehart guide 
you through the steps needed. 

'Ibis month's MacTech SptJiliglil foatures David Sinclair, owner of independent development 
hou.se Dejal. David has written a good numlier of utilities, some of which 1 use, and some of wliicli 
are really picking up steam. He’s great proof that there's work out tliere for creative apps - the 
Mac community is almost insatiable in this regard. There's never been a better time to be 
developing and creating for OS X. So, check out David Sinclair, and then go back and read the 
Road to Code, and get busy with .some development! 


Hclward Marc:ziik, 
Executive Editor 
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A behind the scenes look at how it really works 




Bv Joe Froehtich 

_^ 


L. ■ 






K 


Just browsing, thanks! 

If you peruse the Wmdow.s SaYia^s AdminIstrMion manual 
for Mac OS X Server, yoo'il find tlic folkiwing statement: 

"Mac OS X Scrv'CT can also provide network l>rc>w.sing 
service as a workgroup master browser or a Windows dt)niain 
master browser for Wintiows dients. A workgroup master 
l:)rowser enables Windows computers to discover servers on 
one subnet. A domain master browser enables Windows 
computers to discover servers across subnets." 

While this statement scjunds simple enough, as with most 
things, there’s more to tiie stoiy. If you have Windows clients 
on yoLir Mac OS X Server-based network, it’s important to 
understand how Windows network brow.sing functions. In this 
atticie, we’ll give you the grand tour. 

The Language of Windows 
networking 

Microsoft defines two distinct network entities: 
workgroups and domains. Lei’s start with a brief description of 
each so weVc talking the same language, 

A workgroup is a logical grouping of peer-to-peer 
computers that facilitates sharing resources (file and printers) 
among its members. While there's usually a cme-to-one 
relationship between a workgroup and a subnet, in theory at 
least, a subnet can host multiple workgroups, and a given 
workgroup can span physical subnets. 

A doimin (not to l>e confused with an Internet domain) is 
a logical grouping of cx>mpuLers for adininistrative and seairity 
purposes. In a domain, all computers share a common 
directory database of resources and security infonnation. A 
domain can reside on a single suimel, or it can span multiple 
subnets. A domain typically consisLs of a domain controller, 
member servers, and client workstations. 


Browsing services in brief 

On a native Windows network, the Computer Browser 
Service controls network browsing. On a Mac OS X Server- 
t>a.sed network, this same service is implemented via Samba, 
rundamentally, the browsing service on the respective platform 
is responsible for populating a client's view of the Windows 
network, as shown in Figure 1. 



Figure 1: Browsing a Windows workgroup 
under Tiger and Vista 

When you configure tlie Windows service on Mac OS X 
Server, your changes are reflected in the underlying 
/etc/smb.conf file. In Figure 2, for example, weVe made our 
server a member of the Windows workgroup called EUROPA. 
In examining the [global] section of the smbcc^nf file, we 
see the following settings, which correspond to the 
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Dest:ripii(jn, Computer Name, and Workgroup items on lltc 
General pane: 

• server string = Mac OS X Server 

• netbios name = osxsrv 

• workgroup = EUROPA 



Figure 2: The Windows service module 
in Mac OS X Server 

How Windows network 
browsing works 

When a Windows machine comes online, it Ijmadcasts its 
presence—saying in effect, "Here I urn and I have M'Jinething to 
share with you**, Oilrer computers on the network are 
responsible for collecting the list of nodes That prtjvide shared 
resources. When a client computer needs to access a shared 
resource, it consulus the [)rowse list (not the host directly 
sharing liic resource) to locate the resource. Figure 3 provides 
an overview' of tliis process. 

The key point to rernem[>er is that, in addition to the 
maclrine providing the resource (the server) and the machine 
requesting the resource (the client), other macliines, known as 
conipiiicr browsers, manage lists of available resources 
ihnxighoiii the network. 

Computer browser roles 

lliere are several different roles a computer can assume in 
a Windows browsing envinmment. De|>ending on the iastalled 
operaLing system, a computer with the Computer Browser 
Service enabled can serve any of the follow-ing roles: 

• Master Bnmstr. TIiLs imcfiine coUecis and maintains the list of 
avatlal>lc network rescxirct^ on its own subnet. The master 
browser My replicates its inforroation list with the domain master 
l>mwser to dtmin a QKnpleie l)iowsc list for the network, and 
tlien citsiribuLcs it to Im'kup l}it>wsets located on the same suimeu 

• Preferred Master Browser, '["his machine Ls a mxsicr hn>w5er that 
the administrator has configured iTianu;illy (via a Windows 


registry setting) to l>e the favored master browser. 

• Dotmin Master BnAms. TliLs machine collects and maintaias 
the masiCT laowse list of availalMe fesouires for its d()main. It 
also distributes and synchmni7es the master i^rowse list for 
nia.ster brow'sers on taller sulinets tliat have computers 
belonging to die same domain, lliis is the defeult m\e for a 
Primary' Domain (Controller (PDC). 

• Backup Brtm’ser. This machine nxxives a copy of the browse 
list From the master browser for its subnet, and then distributes 
it to oilier computer upon request. Clients tliat need to access 
a lesource aiasuU the lyackup browscT not die master browser. 

• Poterj&J Browser. Tills macliiiie is capable of becoming a 
liackup browser when and if its snlinei/s master brawser 
instnicts it to assume dial role. 

• Non-bnmst^. HiLh macliine Is configured so It cant become a 
computer Imiwser; as a result, it doesnt midntain a lirowse list. 
I lowever, it am operate as a browse dienL, requesting browse 
lists ftoni other ctmiputers ojK^niting as browsers on the same 
subnet. 


Master Backup 

Browser Browser 



Figure 3: Windows network browsing in action 

Computer browser elections 

In certain cases, computer browsers need io assume different 
roles. When this happens, potential browsers choose a new 
master browser, using a process knowm as an election. An election 
Is initiated as a result any of the following events (xrcurring: 

• A computer cant locate a master bn>w.ser. 

• A preferred master bniwser comes online. 

• A Windows domain controller starts, 

• A backup browser ctani trontaa a master lirowser to update 
its browse list. 
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The election process 

Not surprisingly, a computer l^rowser election is 
considerably friendlier than a political eleaion. In short, all 
potential browsers present their qualificatioas during the 
election- Tiien, after several rounds of self-elimination (e.g, a 
browser discju a lilies itself after encountering an opponeni with 
higher tiualificattons), a single madiine remains—^tfic newly 
elected ntaster browser. 

Browser qualifications 

There arc several criteria for detemiining wliich computer 
browser is most qualified to win an election. In practice, the 
winner is usually determined by a eombination of im openJtmg 
system and iLs role on die network. In genera!, the more 
capable the operating system and the more important the 
machine’s network role, the more likely it Ls to win an eleciitm. 
For example, an NT server running as a PDC l>eaLs a Windows 
2000 Professional workstation. Likewise, all other criteria being 
equal, a preferred master browser beats a backup browser. 

Election outcomes 

The following rules determine, in the order listed, whether 
a browser wias an eledion: 

• If die election protocol version of the browser is greater 
than the election protocol version of its opponent, the 
browser wins. If not, the browser uses the next election 
criterion. 


• If the value of die election criteria (comliined value of 
operating system and network role) for the brow.ser is 
greater dian that of its opponent, the browser wins. If not, 
the browser uses tlie next electit)n criterion. 

• . If the browser has l>een running longer than its opponent 

the browser wins. If not, the browser uses the next election 
criterion. 

• If none of the a!x>ve mles have determined the election, 
Chen the .server with the lexically lowest name wins; e.g, a 
server named Alpha wins over a server named Beta. 

Configuring browser roles on 
Mac OS X Server 

While you use the Settings | CTeneral pane of the Window,s 
service mcxlule to specify workgroufi or domain meiiil>ership. 
you use the Settings | Advanced pane, shown in Figure 4, to 
configure browser roles (Workgroup Master Browser and/or 
Domain Master Browser). 

Master browser 

You 11 recall from our previous discussion that a master 
browser is rcsprinsible for collecting and maintaining browse 
lists on its own subnet. You must have a master browser on 
each subnet. Ihis machine can he any Windows machine with 
the Computer Browser Service enabled, or a Mac OS X server 
ruiiniiig Samba and serving as a local mascen 
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To configure a master hrowser, simply select the 
Workgroup Master Browser check box. In doing so, the 
[global] section of the smbx'onf file reports the .setting: 
local master = yes. 



Figure 4: Browser role configuratiofi 


Domain master browser 

The domain master Ijniw.ser is the master browser for the 
subnet in whicli it resides, Acklilionally, it pn)tingares its browse 
list to the individual master browsers on subnet in the 
domain. At ilie .same time, iUv masicr browsers on each SLil>[iet 
distribute their browse lists to the parent domain master browser. 
If you Mve a Windows dojtitiin. regardless of whether it's on a 
single subnet or ti spans Tnulii]’)le sulmeis, you need a domain 
iTKLsicT browscT. This machine can lx.' Windows server acting as 
a PDC, or a Mac OS X Server serving an equivalent role. 

To a>nfigiire a domain master brow.ser, first ,set u[> Mac OS X 
Server as a WINS sener, or a'gi.sler it willi an existing WINS server 
For NetBIOS name resolution, llten, simply select the Donnin 
Master Browser che« k b()x. In tloing .st), the I global] section of 
llie snib.conr file iieix)rts the setting: domain master = yes. 

Conclusion 

llopefuily, this article has given you a better sense of how 
Windows network browsing wc^rks. If tliis article has elevated 
your iiilcrest in learning more alxjut this subject, refer to the 
online documentation available on Samba's website at 
www.sajnba.org. In the metiniime, Happy Hrt>wsing! 
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Active Directory! 

Of the topics that come up on the Maceiiterprise list, 
Active Directory and its integration with OS X is discussed 
frequently. Why? Many environmcnLs are using Active 
Directory for integration for the Windows side of the house, 
and many Mac administrators don’t want to manage the 
information store separateiy h>r Macs alone. Tiiis rnonili we 
will look at some lips for working with tlie Active Directory 
plugdn. Let's get started! 

Binding 

Binding, what is it? Directory Services uses a oLachine 
accxiuni and "binds" ilie acctiunl to the Active Directory domain. 
When logging in, the aulheniic“ation fjiimework is alile to use tlie 
bound machine's account for non-Iocal tisers. As a result, a user 
is gninted access la a machine w iLliout a local accounL With the 
Active Directory plug-in, there are a number of intricacies that 
make binding difficult. We wall look ai one of the most common 
issues. 15cfore we b<^gm this discussion, though, remember to 
check forward and revei-se DNS, a commt>n binding problem. 
For more information about testing, check f^ut the article here, 
hftp: //macenterprise.org/ conl-ent/vrew/305/84. 

Finding my Organizational Unit 

Often, an administniior does not have access to the default 
Organizational Unit used by the Active Directoiy plug-in. How 
does an administrator find their Organiziitional Unit then? 
Fortunately, the tcx^ls for perfesrming a lookup are built into OS 
X! Let’s look at a ratlier verliose command. 

1dapf?earch -LUL -Hldap;//yourdom^t, neon troll er .ad. tef:t -x -D 
"admin^ad,test" -b "dc'^ad.deftest" -W 
"cn’^actlvedltectoryrotnputerobjectoanie" dn 

Looks rather complicated doesn’t it? Fortunately, it isn't 
that hard t<j understand once we dissect it a little bit. Tlie first 


option, -LLL is not strictly necessary. However, using it omit.s 
comments, restricts the output to LDlFvl (not important ItcTe)^ 
and tlie la,st L |irevenls printing of tlie LDIF version. 

Next, the -I f option is specified. This option is very 
important! Fnter the UEl of a domain controller tlial has a co[iy 
of Lite Global Catalog. Ldapsearcli uses this domain controller 
to Icxjk Lip infoniiation alx)ut a computer account 

Next, the -x option is used for simple authentication, not 
SSL. In sonic cases, SSL is not used on domain controllers. The 
-D option is important, as it supjilies the Active Directory 
credentials that are used to authenticate for the LDAP search. 

-h provides the searcfi ba.se. The search base is the point 
in the LDAP tree where the search should liegin. If unsure, 
enter the top level of the forest. -W' is similar to using the -x 
option, telling Idapseardi to prompt for the [lassword, instead 
of .supplying it with die Idapsearch command. 

The last two entries are used to get the acrtial 
Organizaiitjnal Unit path. Tlie first option 
“cn=aciivedirectorycompuierobjec1name'' looks for the 
computer account in Active Directory. I'he last option tells 
Idapsearch ihat only ihe dn attrilxiLe is important. IFs o.k. not 
to specify it, but every aUriliute is then returned. S{)unds like a 
lot, doesn’t it? Try executing the command once. After you have 
the hang of it, you will find how powerful idapsearch can be. 
As a sanity dicck, here’s an example of how the idapsearch 
results might appear: 

dn: CN-mbp,OU-One.Otf-Tvo.OU=Three.OU-Four.DC=ad,DG=test 

With this information, it’s easy to determine the OU path 
for machine binding. Note however ihai the mat'lline ac:couni 
must exist before this search is executed. The cx)iiimand and 
its results could also be wrapped in Apple.scTipt, an Automator 
action, or any other scripting language. Once the machine is 
bound, the fun begins! 
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Static maps 

One of the hidden gems of the Active Directory 
IS the ability to use ^static maps’*. Usage of static maps was 
originally conceived for usage with the LDAP pliigdn, hut it 
can now be used for mapping any needed attributes. Let’s 
use an example. On tlie list, a discussion about using NFS 
shares on Active Directory asked about how to provide an 
attribute for each user logging in that would he exactly the 
same. Static maps to the rescue! Here’s how to do it: 

This will require a little bit of command line magic. Open 
a terminal, and enter the fol!(jwing command: 

dsconfigad -etaticmp attributetype attrlbutevaluo 

Three attributes should not be .statically mapped. IJID, 
RecordName and rieneratedUID. As staled in the man page, 
mapping these attributes may produce “unexpected” 
results. What is the syntax? It’s pretty simple, first the 
attribute value. Attribute values are preceded by a pound 
sign If the goal is to have every non-local user use the 
same value, enter ^alue to provide each user with that 
value at login. Another feature, variable mappings, is not 
available with the Active Directory plug-in. It should also 
lx: noted iluu using static maps is only available from the 
command line using tlsconfigad. 

Timeout values 

Controlling the timeout values for the Active Directory 
plug-in involves editing the ActiveDirectory.plist in 


/Library/Preferences/DirectoryService. First, note that this 
procedure is completely unsupported by Apple! A very 
common problem occurs with mobile acetjunts and Active 
Directory is extremely slow logins. This problem commonly 
cjccurs due to the fact that the Domain Controller is 
firewalled, and unavailable outside the corporate network. 
For each Domain Conlroller, a value of 240 seconds ts 
assigned. Imagine what happens when the laptop user goes 
home. Login times, and even wake from sleep times can 
become almost unbearably long. Fortunately, an 
administrator who knows what values to change in the plist 
can alter them, reducing the timeout times manually. Open 
Che ActiveDireciory.plisi in your favorite editor. Next search 
for the following entries: 

<bey>Lt)AP Connection Tiineout</key> 

< St ring>240</St ring> 

Tins entry usually occurs in multiple places. Depending 
on your environment, change the value to a lower value. 
Restart the computer, and the timeout values should be in 
effect. It ha.s been reported that for some environmenLs the 
value may get overwritten, but in my experience it has 
worked. 

Question marks in tlie Dock 

'the last thing that appeared recently is the appearance of 
a host of cjuesiion marks in the dock on Intel-based machines 
when using the Active Directory piug-in with mobile accounts. 
Credit Mike Yocom and Brian Warsing for this solution. It is a 
bit involved, but dt>es solve the problem quite nicely. 
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Step one: Convert a>ni.apple,dDck.plist for each user to 
xml. Tills task is best accomplished with a loginhtKik, Here is 
the command: 

plutil -convert xmll -o /tmp/foo.xml com.apple,dock,plist 
Step two: Use a bit of xmlmagic, using xsllproc lo filter out 
“_CHL]RLAliasDala” entries from the plist. 

xsltproc o com.apple^dock,pllst /patb/to/fityle-shaet/com- 
appledock-style►xsl /tmp/foo.xml 

And the required style sheet: 

<?xiiil version=U.O' encoding“’utf-S'?> 

<xs1:stylesheet yersion= M,0‘ 

xtnlnisixsl^'^http: //www,Ttf3 .org/1999/XSL/Transforiii') 

<xb1i output mathod=^xtiil' version='l.O’ encoding”'utf 8' 
indent^'yes' 

doctype-public="^y/Apple Computer//DTD PLIST U0//BN'' 
doctype'systeTn=''http: / /ww .apple. com/DTDn/PropertyLlst- 

l.O.dtdV) 

<t - This template copies the entire coot --> 

<xs I: template T]iatch="@ “ | node () " > 

(xal:copy> 

<x£l: apply-templates select""®*^ I node () 'V> 
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</xsl:copy> 

</xfil: template) 

<E - Thia template removes the _CFURLAlia3Data node > 

<xsl:template match^^array/dlct/dict/dlct/key") 

<xsl;variable na!ne="foo"> 

<Ksl:value-of selecl^".'' /> 

</xsl:variable) 

<xsl:choose) 

<xsl:when teEt="$foo = '^CFURLAliasData’**> 

<!-- Do nothing. T mean don't print it --) 
</xsl:when> 

<xsi;otherwise) 

<!-- Output a copy of the orig. node ) 
<xsl:copy-af aelect”'*." /) 

</xsl:otherwise) 

</xslichoose) 

</xsl:template) 

<I This template dumps the data nodes with the alias data 

<xslitemplate match='’array/dict/dict/dict/data") 
<xsl:for-each select=''.'' /> 

</xslitemplate) 

</xal:stylesheet) 


Step 3: There is no step 3! 

It really is that simple once all of the pieces are in place, 
and solves the immediate problem so that question marks 
will not appear in the dock. This months weVe tackled some 
of the most recent issues with Active r)irecioi 7 , As always, 
Active DirectQt 7 integration continues to l:>e a very complex 
problem, as each envirtjnnient Ikls unique qualities. Keep 
sending in feedback to Apple, and keep tliscii.ssing on the 
lists, to make ihe Active Directory plugrin as good as it can 
he! One last thing, check out the following Best Practices 
paper about Active Directory integration from Apple; 
hftp://i ma ges. apple. CO m/itpro/pdf/A D_Best_P racfrces_2 
.O.pdf. It also .supplies very useful iiiformation about 
irouhteshooling and integration. Until next month, see you 
on the lists! 
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Introduction 

So far in 1he Riml lo Ccxie, we liave gone t3ver variablei>, 
functions, control stuieinents, and dynamic memory ailocaiiun. 
Now W's time to Stan putting all these pieces of the puzzle 
together and go over one of the main tenets of modern 
computer programming: object-oriented progmmtning. 
Rememher that Applets native programming iunguage Is emailed 
Objective-C, which provides object-oriented extensions to the 
C language. The kind of programming we have been doing in 
straigfit C is called procedurjl programming. Even thcjugh die 
C language uses functions, the academic name for these 
functions is pror’er/ures. Where the focus of procedural 
prograrniiiing is on procedures and dtita structures, object- 
oriented programming focuses on ol)jccLs. Since objects are an 
evolutionary extension to prcx:edures and data structures, ill is 
article will cover using data structures in C. This will lay the 
groundwork for us to finally stun writing Objective-C code in 
next month's artiede. 

Data Structures 

Tlirtjughoul this article, we will be writing code tliat deals 
with geometric rectangles. This ts not the sexiest topic, but it is 
cjffen used as an introductiun to object-oriented programming. 
The nice thing about rectangles is that everyone knows what 
they are, so they require very little explanation. Their 
properties also require only knowledge of simple arithmetic. In 
case your geometry is a bit iristy, here’s a simple diagram of a 
rectangle in the Cartesian coordinate sy.stem: 


Figure 1: Rectangle in the Cartesian coordinate system 

From tliis diagram, we C 2 in note the four points thai make 
up this rectangle: 

The lower left point is (5, 5) 

The upper left ixiini is (5, 10) 
llie upper righi poini is (15, 10) 

The lower right point is (15, 5) 

From diese four points, we know die four edges of this 
rectangle: 

The lefi edge lias an X-c'Oordinate of 5 

The bottom edge has a Y-coordinate of 5 

ITie right edge has an X-coordinate of 15 

The LO[i edge has a Y-ccx>rdinate of 10 

From tliese four edges, we can detennine the width and 

height of ifie rectangle 

The width is: right edge - left edge -15-5 - 10 units 
The heiglit Is: top edge - bouom edge = 10 - 5 = 5 units 
Finally, from the widili and height, we can ailculate tlie 
area and perimeter: 

The area is: width x height = 5 x 10 = 50 units 

'fhe perimeter is, (2 x width) + (2 x height) = 2x5 + 2x10 

= 30 units 

Even though these calculations are fairly simple to do 
without a computer, I’m going to walk us through writing 
a program to help us calculate the area and perimeter of 
rectangles. Rectangles are used a lot in computer graphics, 
so this is mt>rc than just a trivial example used to 
demonstrate a point. 1 promise. 

Area Calculations 

Here is a simple program that calculates the area from the 
ftiur edges of the rectangle: 
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listing 1: main.c Area calculation 

#Include <stdio.h> 

int malnCitit argc» const char ' argv[J) 

I 

float leftX - 5; 
float bottomY = 5 t 
float tightX " IS; 
float topy = 10; 
float area; 

area = (rightX * leftX) * EtopY - bottomY): 
ptlntf("Area is: 5t.2f\!i** area); 

return 0; 

1 

1 sfluck in one shortcut that wc haven’t covered I>efore. 
IVe assigneti a value to a variable in its declaration ITiLs saves 
us four lines of code, since we do not need ui assign the 
variables separately* When assigning a value to a variable in its 
declaration, it is called initmlizsng a variabie. Apart from this 
shoricui, ilic rest is straightforward and the output when run is: 

Area is: 50.00 

We know from our manual calailations that this Ls correct. 
Even though the area aticulation is htirly simple, if we wanted 
to do multiple area calculations, we would put this into a 
function to avoid possible duplication errors: 

Listing 2: main.c Area function 

fllncltide <stdio.h> 

float rectaJiglGAreaEfloat leftX. float bottowY, float 
rightX, float topY} 

I 

return trightX ' leftX) * (topY - bottoinY): 

1 

Itu meiJntfnt arge, const char * argvlJ) 

1 

float leftXI - 5; 
float bottomyi 5; 
ftfiat rightXl ^15: 
float topYl = JO; 

float leftX2 - 0; 
float botto3iY2 ^ 0; 
float rightXZ = 4; 
float topY2 ” 4: 

float area; 

area " rectangleArea(leftXl. bottamYl, rightXl, tgpYl); 
printfE“Area 1 is; %.2f\n". area): 

area " rectangleArea(leftX2. bottcmiYl, rightX2, topY2); 
prlntf£*Ares 2 la: %,2f\n*', area); 

return 0; 

1 

Providing Structure 

In Listing 2, we have cliosen to represent a rectangle as 
four different variables representing the four edge.s of a 
rectangle. It can get very cumbersome to declare four different 
variables for every rectangle we want to use, The C language 


provides a constnitl (ailed .structure* that group together 
muhiple variables into one package. Here’s how we would 
declare a structure for our rectangle: 

struct rectangle 
{ 

flout leftX; 
float bottomY; 
float rigbtX: 
float topY; 

I: 

We can declare a variable of this structure using the 
following syntax: 

struct recta;igle ractongle: 

’fhis declares a varialile named rectangle that is of type 
struct rectangle. It may seem a little weird to have a 
struaure and variable with the same name, bui iJiis is perfectly 
legal and actually c|uiie common. This is legal because the full 
name of the structure is “struct rectangle" so it’s not 
ambiguous what "rectangle" refers to. 

To use the elements of the reaangle, such as leftX and 
bottomY, you would put a period or dot between them. Thus 
to set the four edges of our reaangle as in Figure 1, we would 
use die following code: 

rectangle*l^ftX = b; 
rectangle.bottoHiY 5: 
rectangle*rightX = 
rect^ingle * topY ” 15; 

Even ihough we can access the individual elements, the 
stmeture as a whole can be passed around as a single unit. We 
can change our function signalure to Lake this structure: 

float rectangleArea{struct rectangle r) 

return (r.rightX - r.leftX) * (r.topY 
- r-bottomY); 

} 

lliis function now takes a single argument, instead of four. 
iLs type is struct rectangle. Also, the elements are 
accessed with dots, just as wlien we assigned to them, Wlien 
we call this function, we pass just the structure variable: 

area “ rectangleArea(rectangle): 

Packaging up our rectangle as a structure provides us a 
Few benefits, but tliere is one final change I'd like to go over 

Tyx>e Definitions 

Declaring struaures is every so slightly different limn 
declaring a variable as int or float. You need to include 
both words "struct rectangle" in front of the variable 
name. If you leave off the word struct, the compiler w^il! give 
you an error. However, the C language allows us to create our 
own type.s that are even more sirnilar to internal types, such as 
int or float. We am define our own types using the 
typedef keywwd. Thus, we could include this line after our 
structure dechinition to define our own type called 
Rectangle: 
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typedef struct rectainale Rectangle: 

Tilt* typedef keyword miikes 2 new type called 
Rectangle that is an alias for the tyt>e struct rectangle. 
This allows LIS to use the word Rectangle lo declare variabies 
and funaion arguments, instead of the more verbose struct 
rectangle: 

Rectangle rectangle; 

1 vastly prefer using typedef s for stnicUires. I find it 
makes the resulting code clearer with less extraneous words 
and is les.s error prone since I doni have to remember to use 
the struct keyword. 1 also like to use a capita! letter for new 
type names. This simple convention makes it clear which 
words are types and which are variables without much thought. 
This is very handy wlien looking at code someone else wrote 
or even code you wrote a wliile back. 

Because using a typedef with a structure is such a 
common idiom, we can combine the structure definition and 
type definition into one: 

typedef struct 

I 

float leftX; 
float; bottomY: 
float rigbiX: 
float topY; 

I Rectangle; 

Because we are rising a typedef, we don’t need to give 
the stnuaure itself a name (though that is legal). Combining this 
technique we can re-write listing 2 as: 

Listing 3: matti-c Rectangle structure 

^include <atdio,li> 

typedef struct 
! 

float leftX: 
float bottoniY: 
float rightX: 
float topY: 

} Rectangle: 

float rectaugleArea(Rectangle r) 

I 

return (r.rightX - r.leftX) * (c.topY r.bottomY); 

I 
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int niain(int arge, const ckar ‘ argv[]) 
[ 

Rectangle rectangiel: 

Rectangle rec Langl; 
float area: 

rectanglfil-leftX = 5; 
rectanglel.bottomY “ S; 
rcctanglel.rightX ^ 15: 
rectanglel.topY = ID: 

rsctangle2. leftX {J; 
rectangleS-bottoniY “ 0; 
rectatigle2 . rightX = 4; 
recLanglc'J.topY - 4: 

area rectangleAreaErectanglel) : 
printf(\Area 1 is: area): 
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area ^ r&ctangleAreatrectaiigle2) i 
printf(”Area 2 lat %.2£\n", area); 

return 0: 

\ 

We now Imve a rectangle structtire and a function tliat uses 
die structLire. This combination of a structure and functions that 
manipulate that simcturc is called a chm stivaure. Thus, we 
hiive liegim to write a remngle data structure. 

Multiple Source Files 

So far, we have only used one source file, named main-c. 
But as programs get larger, yt>u will want to split your program 
into multiple source files. TliLs helps orgiinize your ctxle into 
logiol hkK’ks, and allows you to reuse ctide in multiple source 
files. For example, now that we have a data sinicture to 
represent a rectangle, we may want to use this in other parts of 
our program. Tlie best way to solve this problem is by putting 
rectangleArea in its own source file. 

When using multiple source files, the compiler combines 
all fttnelions in all source files together in one program. 'I'he 
program stalls execution witli the main function. I'hcrc is one 
catch: each funaion name must Ix" unique. Tliis means that 
there nin lx only one rectangleArea function definition 
acTCXss all source files. If Two tliffereni source files define the 
same function, you will get a compiler error. 


We c'an put the rectangleArea funtiion in its own 
source file, say rectangle.c, but ilien we need a way for 
other source fUes, like main.c, to lx able to use ic If we just 
try and call it inside main. c, the compiler will eornplain that it 
titxs not know alx>ut a type named Rectangle and a function 
mimed rectangleArea. You've already seen and y.sed die 
solution to tfiis [xoblem: lieader files. 

We've used header file-S to give us access to system 
functions like printf and malloc, but header files are not 
anything magic. We can easily create our (iwn. To tell the 
compiler that a function nametl rectangleArea exists, we 
[3ut this code into a header file, for example, rectangle-h: 

listing 4: rectangle.!! 

typedef struct 
I 

float leftX: 
float botlomY; 
float rightX; 
float topY; 

} Rectangle: 

float tectangleAreaiHectarigle r); 

This crxle IcHjks very similar to the axle IxTore the main 
hmciion in Listing 3- h contains the stniciure dcN:laniEion, just as 
before, but we do not include the body of the 
rectangleArea function. This Ixxly-less function is called a 
function ilccbrulioii It tells the compiler tliat there ts funaion 
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named rectangleArea somewhere in our program, and it 
shouldn't complain if someone tries lo call it You can declare 
a funclion multiple limes, but you must define it only once. Of 
course we do need to put the Ixxiy of’ the funnion somewhere, 
so we put it in ifs own sotirce file, named rectangle.c: 

Listing 5: rectanglex 

#inclut£e ”rectmkgl&*h" 

float rectangleArea{Kectaiigle t) 

I 

return (r,rightX r,leftX) * [r.topY - r.bottoRilfl : 

1 

Til is contains our function definition, with the full Ixidy, 
hut it also ^starts off with a ^include line. 'Hiis is netressary 
because the heatler contains die structure and lyfx: dcTinititm 
for Rectangle. Without the header file, the compiler wouldn’t 
know what Rectangle was. llils line is also similar to how 
we include the stdio.h lic'itdcT file, for printf. You'll notice 
that double quotes <"rectangle.h") are used iastead of 
angle brackets (<stdio.h>). 'Jhe general rule is that angle 
bnickets are used (o include system lieader files where doul>)e 
tjuoies a a used to include user defined lieader files. 

I haven't tokl you how to actually create a new sotirce and 
header file in Xcode, but the prcxedua" is cjuile painless. As you 
have probably noticed, on the left hand side of the Xcmle 
window, you will see a Groups & Files list. If you open the 
disclosure triangles, you will .see the various files of ycnir 
project. In the Source group^ you will sec the file named 
main.c that we have l>een using so far, 
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Figure 2 : Groups & Files list 

To neate a new source file, make sure that the Source group 
is highlighted as in Figure 2, Ix^niuse this is where we want tlie 
new source' Ilk: u> be jilated. Tlien, select New File... from the 
File menu, lliis will open up a New File dialog lx>x, as shown 
in Figure 3- Choose C File, under the BSD category, and click 
Next Now you are prompted to enter the name of die new file, 
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as shown in Figure 4, so type rectangle.c. You'll notice ihar 
by default Xcode will automatically create a header file named 
rectangle.h for you. Since this is whit we want, leave that 
checked and click Finish. You should see two hies added to your 
Sources group on the left hand side, as in Figure 5. 
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Figure 5: New files added to Source group 


If you dick on [Iil'm: new tiles, ycjur editor windtjw will 
alk>w you u> edit liie contenis of the selectetl file. Go ahead and 
edit rectangle.h and rectangle.c to match LLstmg 4 and 
listing % respectively. Finally, we need to chanj^e main.c uj use 
our new header file. We can replace tlie structure and function 
definition with die ^include statement, as in Listing 6. 

Listing 6: main.c using rectangle.h 

if include <stdio.h> 

^include "rectangle.h’' 

int raaintint srge, const char * nrgv{]) 
t 

Rectangle rectanglel; 

Reclangle rectanglel; 
float area; 

rectanglel.leftX “ S; 
rectangle!.bottomY ^ 5: 
rectanglel-rightX = IS; 
rectanglel.tapY “ 10; 

rectangle?.lefts ” 0; 
rectangle?.batlomY ^ 0: 
rectangle?.rightX “ 
rectangle?.topY = 4: 

area * rectangleArea(rectaiiglel); 
printft"Area I la; X.afVn", area); 

area rectangleArea(rectangle?); 
printf("Area 2 ia: X,2t\n”. area); 

return 0: 

) 


With our rectangle .sirueture and fynetkm in its own header 
file, we cun use it in odier .source files I>esitles main.c, liX>. All 
we would need to do Is indude rectangle.h in this other 
file, and it could also cakulate the urea of reeiungles. Because 
the code in rectangle.h allows odier code to use our data 
structure, it is called the interface. And because the code in 
rectangle.c is where the iiaual fimetion definition is, it is 


ctilled the /mp/e/ne/iiaf/o/i. Separating the interface from the 
implementation gives us a lot of flexibility to reuse common 
code in dilierent parts of the program. 

Add Perimeter Calculations 

With our reusable reaangle data siaiatire in place, we can 
now add other functions that operate on tlie Rectangle 
structure. For example, to add a function that calculates the 
perimeter, modify^ rectangle.h to mauh Listing 7 and 
rectangle.c to match Listing 8. 

listing 7: rectangle.h with 
rectanglePerimeter 

typodef struct 
i 

flaat leftX; 
flaar bottomY; 
float rightX; 
flciat topY; 

I Rectangle; 

flaat tectangleArea(Rectangle r) ; 
flu^at tectatiglePeriaeter(Rectangle r): 

Listing 8; rectangle.c with 
rectanglePerimeter 

^^inclutle "rectangle,ti’‘ 

floai, rectangleArea (Rectangle r) 

] 

returu tr.rlghtX r.leftX) * (r.topY - r.bottomY): 

[ 

float rectanglePerimeter(Rectangle rj 

f 

retutn 2*Cr.rlghtX - r.leftX) + 2*tr.topy - r.boTtomY); 

1 

This adds a declaration for the rectanglePerimeter 
funciion to the inierface and its definition to the 
implcmentalion. An exani[>le of how we could use this in 
main.c is Listing 9. 

Listing 9: main.c using rectanglePerimeter 

finclude <etdio,h> 

^include ”rectangl p. h" 

Int inaiii(itit arge, consi char * argvf]) 

I 

Rectangle rectangle; 

rectangle.lefiX “ 5; 
rectangle,bottomY ^ 5; 
rectangle.rightK 15: 

rectangle.topY = iO; 

printf("Area ic; %.2f\n", cectangleArea(rectangle)) i 
printft*Peris€ier Is: %.2£\ii’*, 
rectanglePerimeter (rectangle)) : 

return 0; 

1 


If we were to am this program, the ouipui wcmld l>e: 

Area is; 50.00 
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Encapsulation 

Even tliough our structure stores the four edgeSj both our 
area and perimeter calculation use llie width and height of tlie 
rectangle. Wc may want to change our stnicture to store the 
lower left comer (lef tx imd bottomY) along with the width 
and height Co make these calculations easier: 

typedef struct 
1 

float loftX; 
float bottolnY; 
float width; 
float height: 

I Rectangle: 

7'his .Still allows ns io represent any geometric rectangle, 
but we avoid recalculating the width and lieight over and over 
again. Now, we can re-write our hmctions to use these new 
stnicture elements: 

float rectaiigleAreaCRectangilf! r) 

returti r,width ' r.lieighl; 

I 

float rectatiglePerimater (Rectangle r) 

I 

return width) 1 (2*i: .height) : 


There, much simpler! Bui a side effect of this is that we 
just broke our code in main.c. It's still trying to set rightx 
and topY, whicli no longer exist. Wliat if we still want to 
create our rectangle using the edges? Kather than changing 
main to use width and heighi, lei’s create a new function 
that takes the four edges and initializes the new structure 
elements: 

Roctangie rectanglelrtitWithEdgus (f 1 net leftX, float bottomY. 

float rightX, float topY) 

I 

Rectangle r: 
r.ieftX = leftX: 
r,boH.oinY ^ bortonoY: 
r.width “ rightx ‘ ieftX: 
r.height ” tapY bottoniY; 
raturti r: 

I 


This means we have to change our main function as 
follows: 

int maiu(ljit arge. couBt char * argvfl) 
t 

Rectangle rectangle: 

rectangle = rectanEleTnitWlthEdges(5. 5, 13. 10); 
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prlntf{“Area la: rectangleArea(rectangle))i 

printfCPerimiter Is: X*2f\ii", 
tectanglePeriEiieteir (rectangle)) r 

return G; 

) 

This now gives us the best of both worlds. Wc can sdlt 
create rectangle structures using the four edges, but we can 
more naturally calculate the area and perimeter. 'iTie height 
and width are calculated only once inside 
rectanglelnitWithEdges. Noiiee that the main 
function now never accesses the structure's elements 
directly. It only uses functions defined in the interface to 
manipulate the structure. Ilie implementation is now' the 
only code that accesses ihc structure's elements. This kind 
of code organization, where only the implcmcniaiion 
accesses a structure's elements is called encapsu/afion. 

Enatpsulation is a very gcKxJ goal of software design. It 
gives data structure writers more freedom to implement their 
data structure without affecting the users of tiic data structure. 
In fact, because our rectangle data structure now uses 
encapsulation, wc can change the structure back to the original 
wiili four edges, and our code in main.c will stay exactly the 
same! We would have to change our area and perimeter 
calculations, hut those arc internal details. 

Tile truth of the matter is that programs are constantly 
changing over time. The prognims we have been writing so tar 
have bet!n fairly irivial. But in real programs, you will he 
constantly making modifications, either to acki feature.s or fix 
bugs. 'W'henever you make changes, there is the fxis,sibility of 
intrcxlucing new hugs. Limiting the scojx.* of those changes will 
make sure you introduce as few' bugs as possible. Ii will also 
allow you to make changes Faster, sint:e le-ss ctxle wall need to 
I'je nifKlified. 

Modifying Rectangles 

Okay, so if users t>f rectangles slu^uld no longer access 
the .structure directly, what's the proper way to modify the 
rectangle? To preserve our encapsulation, we should add 
functions to the interface that do this. If we wanted m 
change the right edge of our rectangle, we nuild wTite a 
function like this: 

voii rectangieSetKightX(Rectanglf> r. tloMt rightX) 

i 

r. width = rightX r.leftXj 

1 

Unfortunately, this will not work, kemember from our 
article on pointers tliat function argumenls are completely 
separate variables from the tmes passed in. The same holds 
true even for structures. The compiler will make a copy of the 
rectangle structure, and this function operates on tlie copy of 
the rectangle. When function argumenls arc copied like tliis, 
it is called passing hy value. To solve this, we can pass a 
pointer to the reaangle, which is called passing by reftrenev, 
as such: 


void rectangleSetRightX(Rectangle • r, float rCghtX) 

I 

(-r).width - rightX - (*r).leftX: 

1 

When we change the firs! function argument to a 
pointer, we need to dereference the pointer inside the 
function. Thus, the syntax ”(*r).width" dereferences 
the pointer and then accesses the structure element. When 
dereferencing pointers to strucaires, it is important to use 
parentheses around the pointer dereference, to avoid any 
ambiguity of wliat the star means. Because it is 
cumbersome to use parentheses, the C language provides a 
shortcut syntax for dereferencing structure pointers using 
an arrow syntax: 

void rectangleSetRigbtX(Rectangle * r. float rlgbtX] 

[ 

t >width = rightX - r->leftX; 

I 

Tile arrow syntax, whic h is really two characters, a dash 
fallowed by ilie greater than sign, allows us to 

dereference a pointer to a struemre anti access an element 
u.sing a cleaner syntax. With this modification, the funaion 
declarations in our header tile Ixrcoine: 

Rectangle rectanglelnitWithEdges(float 
leftx, float bottomY, 

float rightX, float topY); 

void rectangleSetRightX(Rectangle ‘ r, float rightX): 
flout rectangieArea(Rectangle r)i 
float rectanglePeritneter(Rectangle r): 

Nolice that we somerimes pass the redangle hy value and 
somclirnes by reference. T'his can be confusing to ihe user of 
our data struciure. Since we must use a pointer for 
rectangleSetRightX, fin going to change all of our 
functions to use pointers, for ccinsistency: 

void rectanglelnitWithEdges(Rectangle ’ r, 

flam leftX, float bottoBiY. float rightX, float lopY): 

void rectangleSctRIghtXlRectangle * r. float rightX): 

float rectaiigloArea(Rectangle * r}; 

float reCtaijglePcr ] met nr [Rectangle * r): 

1 aiso took llie liberty of changing 
rectanglelnitWithEdges to take u pf)inter u> a 
Rectangle, ltK>. 'I'his Ls also more consisient with our other 
functions. In fad, nt>w every function takes a Rectangle * as 
its first argument. This means we have to change main.c to 
use the ampersand (address oO operator: 

Listing 10: maiii.c using pointers 

fincivde <stdlo.h> 

Iinclude "rectangle.h" 

Int maindnt arge. con^t char * argvU) 

t 
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Rectangle rectangles 

rectanglelnltWithfildgeji(&rcctafigle, 5, 5, 15, 10); 

prlntfC”Area is; S.2f\Ti'‘, tectangleArefl{&rect.angle)); 
printrt^Perlmlter is: 
rectatiglePerittetet (itectangle)); 

rectangleSetRightXC^rec tangle, 20); 
print! (’’Area is: rectangleArea {&rectangle)); 

print!(**Perimiter is: 
rectanglePeritteler{ferectangle)); 

return 0: 

! 

Our code is now very consistent looking. It silso billows us 
to use dynamic tiieiuory allocation for the rectangle, too. If we 
wanted to only use pointers in our applic’auon, we could re¬ 
write this using: 

Listing H; main.c using dynamic memory 

allocation 

#1 net Tide <5tdio.h> 

^include <Etdlib,h> 

#include "rectangle.h** 

lilt mainfint argc, const chat * atgvt]) 

I 

Rectangle * rectangle: 

rectangle ” jnallac(ei£eof (Rectangle)): 
rectanglelnitWitKEdgeatrectangle. 5. 5, [5, 10): 

printf("Area is: 7i.2f\n"H rectangleAraa (reef angle)): 


print!("Periraiter Is: itZfXn", 

r€ctangleFerimeter(rectanglo)): 

rectangieSetRightXtrectangle, 20); 
printf("Arefl is: %,2fVn". rectangleArea(rectangle)); 
print!("Perliilter la; %.2f\n". 
reclanglePerlmeter(rectangle)); 

tree(rectangle); 

return 0; 

I 

We must now allocaie the memory before iniiializing it 
using malloc, and then return the memt>r>' to the system 
when we are done tising free to avoid a nieniory leak. 
Other than that, our code is identical to Listing 10, Notice 
that sizeof works on structures, too. Here are the 
complete final listings for rectangle *h and 
rectangle,c just to make sure weVe looking at ilie 
whole picture: 

listing 12: Final rcctangle.h 

typedef struct 
( 

float ieftX; 
float bottoroY: 
float width; 
float height; 

I KocLangle; 

void rectanglelnitWithEdgea (Rectangle * z, 

float leftX, floai boLlowiY, float rlghtX. float topY): 
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void rectangleSetRigbtXlRectangle * float rlghtX); 
float rectangieAroa(Rectangle ‘ r) : 
float rectanglePerlmGter(Rectangle * r)[ 

Listing 13: Final rectangle.c 

^include ’’rectangle-h* 

void cectanglelnilWithEdges(Rectangle * r* 

float leftX* float bottosiY, float rightX* float topY) 

f 

r->leftX - leftX^ 
r->bottojrY ^ bottomY: 
r->tfidth = rightX - leftX; 
rOheigbi = topY ■ bottomY: 

1 

void roctaiigleSetRightX(Rectangle * r. float rightX) 

I 

r->width = rightX - r*>leftX: 

I 

float rectangleArea{Reelangle * r} 

[ 

return r >¥idth * r >hoight: 

[ 

float rectanglePerineter(Rectangle * 

I 

return (2*r>width) + (2*r->height): 

1 


Conclusion 

In -summary, we've wriiten a small rectangle data 
structure with its own interface and implementation files 
using proper encapsulation. Users of our data structure can 
use ihc interface functions to access properties of the 
rectangle, without accessing its inieriia! structure elements. 
Comhining structures and functions inio reiisal)le data 
siriK'Uires widi separate interface anti implementation files 
like this is what object-oriented code is all about. So 
congratulation si You’ve actually i>een writing Qbject-orienied 
t'ode! Well, there is a hit more to olijeci-oricnted code than 
lilts, but weVe learned about 75% of what makes object- 
oriented code so special. Next month, we will finally learn 
some Objec:live-C code, and you will see how Ol>jective‘C 
ttiakes it even easier m write object-oriented code, 

\\\\ 
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Mac in me Shcu 

by Edward Marczak 


ssh Basics 
and More 

Is there anything ssh 
can’t do? 

_ J 

Introduction 

If it wea-n't for QS X» I’d pa>bahiy l>e toting* around a 
hYeeliSD laptop now. Wliifc OS 9 had it?i charms, wht-n 1 Orsi 
Hajd up Tenniualapp under OS X i0,0 and used [>ing to test a 
network route^ 1 knew it was a kcepcT (atid it didn’t even kxik 
fhaf gofxi hack then?)^ The command shell was an environnienl 
1 was comfortahle in, and had the tools 1 needed to get wcxk 
done. However, I often need to open up a shell on a remote 
machine. More than any other command, 1 prf>bahiy use ssh 
the most. At the very leiist, it's the one I’d mm miss. Why? 
What’s the draw' and ailvantage hen;? Read on and finti out. 

Across the desert lies the 
promised land 

In ihc beginning, there was telnet. Telnet a Ik wed one 
access to a command environment on a remote macliine, 
typically Unix-biLse<i. U was a fine way of doing so for a very 
long time - until the Intemet-with-a-c'-apitald came along. Since 
telnet passed along all information in dear text, anyone 
between you and your remote session could happily sniff and 
read everything you typed, or that the host .sent back to you. 
That’s just not cool, man. 

ssh was created by 'lalu Ylonen in 1995 and was originally 
released under an open-source license. This initial release 
formed version 1 of the ssh prou>c’(^l. After fonning SSH 
Communications, versions of ss!i [became commercial, with free 
for nonxx>mntercial use versions. Both versions went closed- 
source. In 1997, however, there was a movement to make the 
ssh protocol and Internet standard under the IITl'K lliis led to 
version 2 of the protocol, which cleaned up some security 
isssues, bugs, and made otlier reliability enhancements. 

Meanwhile, in 1999, the OpenBSD team, took the early 
open source version of Tatu Ylonen's code and [)egan 
modifying and rewriting, to bring it up to current standards. 
This is what beome OpenSSH, and was released in December 
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1999- Markus I'riedl added support for version 2 of the ssh 
protocol in early 2000. 

Fast forward a l>it, and under OS X 'Tiger'’, we’re blessed 
witli version 4.5pl of this venerable application. While we can 
use ssh as a simple nenK)le login replacement of telnet (and 
rlogin,..and rsh), it has quite a bit more hinaionality. let’s dig in. 

If You Want To View Paradise... 

Tlie Irasics of ssh are pretty straightforward. A machine 
that you want to acxrss, called the .se/ver, must be nmning 
sshd, the ssh server daemon, which will listen on some port (22 
by default). Under OS X, this Ls accomplished via the “Sharing" 
pref pane. Simply check the box next to ‘'Remote Login”, as in 
rigure T 

( Servic€s Firewall tnwnct ^ 
Select a service to change its settings. 

Ofl Service 

^ Personal File Sharing 
‘3^ Windows Sharing 
Q Personal Web Sharing 
0 Remote Login 
_ FTP Access 
_ Apple Remote Desktop 
[2 Remote Apple Events 
^ Printer Sharing 
_ Xgrid 

To log in to this computer remotely* type "ssh marcaak@l0.a7,129.3* a? 
prompt. 


Figure 1 - Enabling ssh in the Sharing Pref Pane 

We’re even given instnictirms: “To log in to this computer 
remotely...". Of course, iiie.se insiruciioas may not I'^e entirdy 
correct, depending t>ri cerUiin circumstances. In llgiirc 1, tlie 
pref pane is picking up an IP address fn>m one of my Parallels 
interfaces, so, its advice is completeiy lx>gus. Ik -sure to figure 
out your own appropriale IP address — an external r>ne if 
necessary - tx;fore blindly Crusting whai the pref pane tells you. 

As of OS X 10.4, sshd doesn’t run continuously, but is am 
by launchd on demand, launchd listens on the port spetrified in 
the .sshd.plist file, and when a connection is made, launchd 
fires up sslid and passes along the connection. It;s due to this 
that you wont see fislid in a pRx.ess listing, even though yrju’ve 
enabled it (as you will in 10.3-.or FreeBSD and Linux, for Uiat 
matter). 
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Remote Login On 

c Stop ) 

Click Stop to prevent vs 
computers from access^ 
using SSH- 
















Button, button, who’s got 
the button? 

Now that yOLi have a iiiuchine acting as a server, what can 
you do witli ii? For starreis, you can access a shell on the 
remote machine froni any s,sh dhm. Hiis includes clients 
running on Linux/BSI), OS X, Windows or even a smart phone 
tltat has ssti capabilities (like the Nokia N8C)0). Thai's cot)l 
enough on its own. Wc* can't have Apple Jiemote Desktop from 
our iPhone, but I can access my OS X Server using a non-Apple 
smart [)hone. t^hlliantl 

Since weVe living in OS Xdantl, let's pretend our clieni 
lives there. Pop open tenninal.app, and simply: 

sjsh uset^host 

You’ll l)e asked for a passwojd, and then presented with a 
renioie shell. Coukin't Ix^ easier If you have the muscle 
memory built up from tlto telnet days, you can also supply the 
user name with the “-D switch, like I tend io do: 

fiFih -1 admlti django^radiotope.com 

You can also supply the port, if the server Is running tjn 
something l^esides the well defined ssh port of 22; 

ssh -1 admin -p 6022 django. nad S oiope.t.ojii 

Finally, if you want a little more detail about what’s going on, 
use one or more vediose switches (-v): 

esli 'V -1 admin p 8022 django.radiotope.Com 

Once you have your remote shell, you can start typing, just as 
if you were sitting at a console ctmnccLcd directly to tliiit 
[nachine. One last lip: if you’re using the defaults, and your 
current user name is die same as what yoLi’ll pass off to llie 
remote, simply give the host name: 

django.radiotope.com 

Easy, righd* 

It All Comes Out In The Wash 

Of course, the first ‘s’ in ssh stands for ’’secure''. You should 
iiave noticed that the first time you connect to a server, youYe 
asked to verify and accept the host's The exchange looks 
something like this: 

$ ssh mrczak@django. radlotopG.com 

The authenticity of host ' django.radlQtDpe.c.ora (10.10. / .iJ)' 
can’t be established. 

RSA key fingerprint is 

cd:42: 72:31:47 :15:80:e6: 31 ;36:66:n:S6:ef :db. 

Are you sure you want to continue connecting (yes/no}? yes 


Warning: Permanently added ■django.radiotcipe.com’ (RSA) to 

the Hsl of known hosts. 

ntarczak@ djatigo.radiotope.corn’s password: 

Last login: Wed Aug 29 10:56:25 2007 

Also note the part alxmt “peonanently added...to tlie list of 
known hosts”. Ihis list is ke[>l in V.ssh, in a file named 
“knownjiosts”. Don’t forget that the In front of the file name 
means that it’s hidden in terminal unless you use the ‘-a’" switch 
with Is. (OK - or if you Ye rexx, or have performed some other 
trickery wiih environment variable's, etc. If you’ve done that, 
then you probalMy know what yfxi're doing..,move along, 
nothing to see here), ssii adds Ixith the host's key, dns name 
and IP addre,ss to the knowii_hosts file. 

If the host key ever changes, yoy’ll he notified when you 
c:onnect: 

§ \ijmim: RKMOTR iJOST IMNTinCATlON HAS GHAMGEDl" @ 

IT IS POSSTBI.E THAT SUMEONE IS DOING SOMETHING NASTY! 

Someone could be eavesdropping on you right now (man in-the' 
middle attack)! 

iL is also possible that thfi RSA host key has just been 
changed, 

The fingerprint for the ESA key sent by the remote host is 
55:7fi:c6:2A:2b:44:3c;55:67:c5:e9:01:l7:ef:B3:hd. 

Please contact your system administrator. 

Add correct host key in /Users/tnarezak/.ssli/kiiown_hosts to 
get rid of this message. 

Offending key in /Usersyinarczak/. ssh/known hosts: 70 

RSA host key for gryphon.radioLope.com has changed and you 

have requested strict checking. 

Host key verification failed. 

...and you'll be left back at a prompt, ratficr than connecting. 
If the host’s key and IP address change, you will see a different 
message: 

@ WAINTNG: POSSIBLE DNS SPOOFING DETECTED! § 

The RSA hosL key for gryphon.radlotope.com ha^ changed, 
and the key for the according IP address 192,168.86*6 
has a different value. This could either mean that 
DNS SFOUFING is happening or the tP address for the host 
and Its host key have changed at the same time. 

Offending key for IP in /Users/marezak/.ssh/knowii_hoBts:59 

All of ihi.s helps keep the first ‘s’ in ssh! In die next .section, I'll 
talk a little bit alxml configuration of ssh, but do know that you 
Gin turn this feature off. D(hng so will warn you, but still allow 
you to connect: 

$ Bsh 1 root django,radiotope.cam 

Warning: the RSA host key for django.radiotope.com' differs 
From the key for the IP address U92.168.8R.3* 

Offending key for TP In /Users/marezak/.esh/known_hosts■2? 
Hatching host key in /UserE/tnarezak/ .fiah/knDwn_hosts:30 
Are you sure you want to continue connecting (yes/no)? yes 
Password: 

Last login: Wed Aug 29 10:56:25 2007 

Tliese are excellent things to lx: mindful of as you use ssh. 
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You've got to go forwards 
to go back 

Now that you have the basics down, let’s took at some 
configuration options. On an OS X machine, you’ll Find the file 
/etc/sshd_config that configures the sshd server. Since 
this i.s an imrocluctory' and cookbook type ariicle, I won’t 
exhaustively detail every option, but only ones that impact the 
options fll refer to in this article Itself 

If you {jpen up /etc/sshd_config, you’ll notice that much 
of it is commented out with symlxils. This shows the default 
values of these parameters. Uncommenting them will allow you 
to t'hangc the values. Unlike other varieties of Unix, and tfianks 
to launchd, just make the c'hange, and it will go into elfect 
upon next connection. Since sshd isn't really running all the 
time, i here’s no need to HUP or restart it. 

Any ssh server exposed to the Internet - directly or 
through a firewall via port forwarding or PA'i' - .should 
immediately imcommenl the ’TermitRootLogin" line, and 
change it lo ^no”. 

Now, that was a bit simplistic, and on OS X .Se/ver, we 
need to rake one other thing into account: if we’re running 
Open Directory. An unadorned ssh server Is needed when 
creating an Open Direaory replica. The replica uses s.5h to 
conneci to the OD master and transfer the LDAP databa.se. So, 
you c:an either a) not expose an QD niauSter to the Iniemet — 
use another machine for remote s.sli access - or b) remember 
to toggle this hack w^hen adding a replica. 

On the client side, you can edit /etc/s3h_coiifig, I 
typically add the following two lines to any client 1 touch 
immediately. 

TCPKeepAlive yes 
ServerAlivelnterval 30 


Just tack these onto the end t)f the stock ssh^config file. 
These will 'ping' the server u.sing a handshake protocol that 
stops your (mm getting dropped if you're idle. 

As referenced earlier, if a .server's key dianges, you 11 he 
stopped from c^onneaing in tlie default state. This is controlled 
by the “StrictrhjstChecking” optic>n. It's set to “yes”. While 
possibly untriendly, a host's key should f^a.sic’ally never change, 
so, I recommend leaving it set this way. Other possible values 
are “no\ which ju.st blindly adds the new 1 k)sI key to your 
knownjiosts file, and "ask”, which warns you and asks if you 
wouk! still like to connect. If you answer "yes’\ the new' key 
will be added u> your knownjiosts file at that point. 

Nicely, you can specify options as parameters, so, if you 
use DHCP to hand out client addresses, many times the IP 
address will not maich the key as recorded - properly so. If you 
are connecting to a host that you know will not match, you can 
leave your /etc/ 5 sh_conlig file alone, and for this time, use thi.s: 

ssh -0 stricthostkeychecking-ask djati go. radio tope .com 
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Tlicrc are nice man pa^^c^s for both ssh^confi^' and 
sshcLconfig that explain each option, 

I am extraordinarily busy, sir 

So, now yon have an ssh server, or servers to use, as every 
OS X triachine in your midst is ]X)tentially an ssh server, 
“Remote Login” is enabled by default on OS X Server, and 1 
enal:)le it on OS X in my standard operating environment (SOE) 
images. Whal can we do from here? 

One thing that makes life with ssh very sweet is password¬ 
less login. While this is possible in a single-sign on 
environment, you may lx,‘ dealing witli machines llial aren’t pari 
of tills setup. Password-less login uses the keys that were 
referenced above. To do so, you need to generate a public key 
for your account, and transport that key to any server that you’d 
like to login on without using a password. Here’s a short 
tutorial/how'-to. 

First, generate your keys: 

$ iJGh keygen t rsa b 

Vou1l receive tlie following output, during witieli, you can 
press return to accept the defaults for eacli question: 

Generating public/private rsa key pair. 

Enter file in vhich to save the key 
(/Usera/edacct/.ssh/id_rsa): 

Created directory ^/U-^jers/edacct/.asii^ 

Enter passphrase (empty for no pagsphrase): 

Enter same passphrase ag€ilrK 

Your identification has been saved in 

/Users/edticct / .ssh/id_rsa. 

Your public key has been saved in 
/llsera/edacct/ . ash/id_rsa. pub . 

The key fingerprint le: 

4/:bl r/b:ec :de:6l :b4:e0:23: / d:fc:bd: If :6!5:8 c: 11 edacct§Jack 
Kerouac.local 

Again, simply press return for each quesiicm - including the 
passphnise questions. 

Second, notice llie line that state.s, “Your ]:>ublic key has 
been saved in /Users/edacct/.ssh/icLrh,'i.pub”. fhis is the file 
that we need to tninsport to the^ server, and add its c:onlenls to 
tlie taj'gct account’s authorized_keys file. You can do this 
several different ways, and I’ll cover one simple one here. 

Simply "cat /Users/edacct/ , ssh/id_rsa. pub | 
pbcopy’ (substituting the appropriate account name), winch 
will place the contents of your key onto the clipboard, or “paste 
ready to !>e pasted CApple-v or Rdit->Paste). Now, ssh 
into the target machine. For example: 

ssh eda ccltd j a hgo * radiotDpe.com 

Youll Still need to supply your password, as we haven’t altered 
the server yet. Once in, edit the --/.ssh/auEhorized_keys file, and 
lack the paste buffer onto the end: 

$ vi .ssh/authorized_keys 


ssh-rsa 

CAAB5N/aClyc2ECBEBIwAAAQBAvyDnmn09A6z2dHJrlt8RXq^ 
BVoJOm4OZPZ4ex++Z0ixF6BBtEzOYkr04LalTIaOykySkl22K6 
PeqZyFXSahZli UvLJLJSImqNlGQZP//QDUbiJ m0f0pC0tBc5PUb;H 
flifw4SlHTleX)reJ/L4ue4AGZzk|R/mYNkuyaVyfe07NTnQPHebr 
9asvrEa6F9zx mq 1 i3Ngn2l >a w== edaeci ©Jaek^Kert >y ae Jocal 

'this may be the only entry in the file, which is fii.si fine. If ilicre 
are already entries, navigate to the end and place diis on its 
own line. 

Finally, logout of the target machine, and then ssh righi 
back in again. This time, you should find yourself logged in, no 
password asked of you. While this may be a convenience when 
you’re working intentctively, the real bonu.s comes in when 
using ssh or sep (a utility that copies data over an ssh 
connection) in a script - no human present. Also, you 11 see 
further on that ssh am do much, much more than simply 
present you with a remote inleraclive shell. 

Little surprises around every 
corner 

Let's get to the gotxl stuff. YouVe .seen the basics, but what 
else can ssh do to make your tech life easier and better? 

Port Forwarding 

Port forwarding may be one of the more popular 
alicrnaiive’ W'ay,s lo use .ssh. Why the heck would you want to 
do tliat? Well, the simple reason is that you can protect clear¬ 
text protocols in this manner. Take POP mail retrieval lor 
example. Typically, noi only arc the ii.scrname and pa.s.sword 
.sent in tlie clear, but file Ix^dy of each message is transferred in 
plain text. If youVe at a conference, or sitting in your local WiFi- 
equipped coffee shop, you’re exposing all of this information 
u> anyone that wants to sniff it. And that's just not cool. So, we 
tunned it through ssh. 

Here’s an example, and then we'll dissect it: 

ssh N L 8110:mail.radiotope.com:110 
edacct^inail. radiotope *coin 

This tells s.sh: 

-N no interactive shell, ihankyouverymuch, 

-L On this kxia/ machine, take port 8110, and forward all 
requests to mail.radiotope.com’s port 110. 
edacct@mail.mdiotope.com is the id that we're authenticating 
with, and the host that weVe forwarding through, which, in this 
case, is that same as the remote destination itself. 

you're .still connecting to a host, but then the “-L” switch 
tells that host what to do with packets arriving on iIjc port you 
.specified. Intere.stingly, you can forward to another machine 
that the remote machine has access to* Let’s say that your office 
has a single ssh bastion hast, but you need to tunnel to anofiier 
machine on that LAN. No prob. Just forward to that machine: 

ssh -N -h 8110:192.168*55.6:110 edacct@gw.r 3 dlotope.com 
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What's going {>n here? look al figure 2, wliieh may lielp. 



msl I. rsd lotope.coTTi 
192.168.5S.6 

Figure 2 - ssh tunneling pass-through 


In Figure 2's example, the firewall at gw.nidiorope.com has 
pon 22 port forwarded to server.radiolope.com. Telling ssh to 
conned to gw really connects us to server 
server.radiotopexom handles the ssh conneci, authentiation 
and session, hut then, as insraicted by ihe ""-I/ .switch, pa,Hses 
tl\c traffic tlirough to 192. l68.^S.6\s p>rl HO. 

Once a port forward is in [>lace, it’s your local machine 
that now ha.s a pon open for listening. So, in (he example of 
POP that weVe f>eeo using, you'd need to tell your mail 
prognim that llie server is at localhost, or 127.0.0.1, running on 
port 8110. Of course, this then gets shuttled over the ssh 
connection to the designated remote machine on the 
designated port. 

Remote Port Forwarding 

Remote port forwairding allows the remote machiiie to 
define the tunnel. For instance, take this example: 

ssh N K S022:127,0,0.1:2Z admin^loud.radiotope.com 

This tells the ssh servxT- the machine that youYe ssh'ing into 
- to take traffic on |Kin 8022, and pass it hack along to the 
client machine at 127.0.0,1 - itself, on port 22, In this case, the 
server is loLid.radiotope.com, and the then! is whaievcr 
machine you're on. Then, from loud.radiotofie.com, we can 
simply: 

ssh niarczak -p 8022 127.0.0.1 

...to log into ilie remote host. What's happening here? Let 
visualize it again: 
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connect to extemai SQL databases - or you're 
considering an upgrade - you owe it to 
yourseif to have a look at Servoy. 

Why? Because FileMaker is not a "true" front 
end for SQL databases, in fact, they're the first 
to say so in their own white paper.* Servoy was 
buiit from the ground up to give you a true 
front end into your SQL databases}. 

Servoy doesn't force you to use proprietary 
ODBC drivers to connect to a limited number 
of SQL sources-you can connect to any SQL 
database with any JDBC driver you choose. 

Because Sen/oy isn't a database - it doesn't 
have to rely on workarounds like "shadow 
tabies" and "shadow fields" to interact with the 
SQL data - Servoy will just directly connect to 
thedatasource. 

Servoy supports server-side sorting and 
user-defined SQL queries so you get maximum 
performance and maximum flexibility when 
dealing with the back end databases. 


Servoy wili automaticaily take care of "broad¬ 
casting" the changes that users make to other 
users, to heip ensure the consistency of the 
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You 

10 * 10 . 10.7 


Figure 5 - Remote port forward 

You, at 10*10.10.7 have a very re.striaive firewidl in place that 
doesn't allow any inn>min^' connccikms. However, it does 
allow you to get an ssh connection out. lb allow someone on 
loud.radiolO[X‘.com to ssh into your mad line, you create a 
reverse port forwarcL We .ssh into loud with the 
8022:127*0*0*1-22'' parameter* Tliis tells loud.radioiupe.com to 
listen on pirn 8022, and forward it along to the clieni* Tlien, 
someone on loud can conned to the kical port of 8022, which 
will forward along to us over ssh. 

You can even connect twf) separate mad tines this way, 
however, some configuration changtis musi he made. On tile 
server (loud,radloiope.com), the /etc/sshd_config file must Ix^ 
nu)dil‘ied. Change the line: 

^GatevayPorts no 
to 

GatewayPatts yes 


On server, radiotope.com, remote port forward to 
public.exiimple.com, using this command: 

ssh 'K -g -R B022:127.D*0.1adnin#public.example.com 

Now, public*example.ct>m is listening on port 8022 on all 
interfaces, and passing it through to server.radiotope.com on 
port 22, On the laptop in figure 4, you can access 
,serv'er*radic>iope*Lx>m - even thougli it's not allowed by the 
firewall - simply by connecting to pulic.example.com: 


ssh -p 8022 account ^public . example *{;oin 


Note that the account used is an account on 
server mdrofope. corn! 

SOCKS Proxy 

Certainly one of Uie lesser-known features of ssh is its 
ability to ad as a SOCKS proxy. Rather than forward a specific 
fxjrt, or poit.s, SOCKS i.s a dynamic proxy, fonvarding :my poits 
requested* This doesn't solve every problem, thougli, as 
appliaiiions must lx: written with SOCKS pmxy support. Most 
wdi browsers support SOCKS, as do many ftp clients* 

To test this, open a web lirowser, Tm going to target Safari 
here, and go lo http://www.whotismyip,com. Make a note of 
your ip address as it shows to an external web site* In a Uxal 
.shell, run this: 

ssh -H -D 9999 flccoiint@pub lie .example .com 

where public.example.com is a machine on a remote 
network that you have .ssli access lo. Once complete, open 
Safari's preferences and chcxxse the advanced tab, or, go riglu 
for the Network Preference pane. If ytiuTe using a different 
web browser, adjust the proxy .setting accordingly. 


Addiii{)nally, you must als<j sjiecify '*-g” on the ssh command 
line, which tells the server to allow remote conned ions Lo use 
the forwarded port. 

Again, lei's visualize: 
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Figure 4 - Remote port forward with 
gateway mode enabled 
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Figure 5 - SOCKS proxy configuration 


50 October* 2007 


WWW.MACTECH.COM 







































/4^i 


-2007 SIW- 

//CODiE// 


Order your Free Software Development Kit now! 
Phone 1-800-6-GO-WIBU | order@wibu.us 


CodeMeter: Ready for Leopard 


Highest Security 


Vendor selectable secret and private key. 

Strong encryption algorithms widi AES 128-bit and ECC 224-bit. 

8est-in-class tools for automatic protection (envelope, without source modification) 
for Win32, Win64, .NET, Java and MacOS X Universal (PPC, Intel). 


Best Fiexibiiity 


■ More than 1000 independent licenses can be protected by one CM-Stick. 

■ One versatile hardware key for all license models including floating rretwork licenses. 

■ Multi platform support including Windows, MacOS X and Linux. 


■ New Distribution Channels 


■ License transfer by SOAP based CM-Talk or file based Field Activation Sendee In e-shops. 

■ Multiple-purpose, including protecting low cost software and digital content. 


m Unique End User Advantages 


First and smallest dongle with up to 2 Gbyte flash drive. 

No drivers necessary - can be used without administrator rights. 
CM Password Manager, secure virtual drive and secure login. 



WIBU-SYSTEMS submitted the 
CodeMeter Password Manager and 
the CodeMeter SDK for the 
Apple Design Awards 2007. 


©2007 by WIBU-SYSTEMS USA, Inc. All riglits lesetved. 


UIBU 

SYSTEMS 


WIBU-SYSTEMS USA Inc 
2429 MW 197th Street 
Shoreline, WA 98177, USA 
www.wibu.com 
info@wilKJ.us 
rel: 1.S00.6.GO.WI8U 
1.206.S46.4S91 
Fax: 1.206.237,2644 


















Apply the clianges and nf>w, relciad the whatismyip page. See? 
All reqiiesLs l<K)k like they’re coming from the remote maeliine- 
Note, though, tliat if yoifre coiiniing on litis for security or 
privac 7 , don't. For web brow.sing, cookies, Google analytics 
and others will foil you. Also, your DNS requests are not Re¬ 
routed, so, those requests will still show up in your local or ISPs 
DNS server. 

Passing Commands 

If given a command, ssh will run that command on the 
remote host and return the output to you: 

$ ssh loud,radiotope*com last 
Pai?f;wor<i: 

ladnln ttyp9 Thu Aug Ifc 0/:^9 

stJll Idggod in 

ladmln ttyp9 Thu Aug 16 0/:39 

07t39 (00:00) 

ladmin consuls loud,tadiotope.c Thu Aug 16 07:39 
07:6^ (00;OA) 

laarcaak CDUSole loud * radiotope*c Tue Aug 14 17:30 • 07:39 
(1+14:09) 

This is, naturally, incredibly liandy for scripts, and a great way 
to collect remote djita alK>ui hasts. 

You can also run commands that require inicracikjn, 
liowever, try it, and you may get some strange results, and a 
message like this: 

ggh 127p0t0*l vi ,J3sh/known-hosts 
?aasword I 

Vim: Warning: Output is not to & terminal 
Vim: Warning: loput is not from a termiiml 

What’s happening? Since ssli Is just expeaing to run the 
command and Irail out, there's no real temiinal alkx'aied for llie 
environment. Never feiir, as you can Tell ssh dial you'd like a 
PsSeudo tty allocated for ihi.s very reason. Just use the **-('’ Hag. 
'Ihis is handy when using an editor remotely, using an IRG 
client fn)iu a remote machine, or finding that server with 
netliack on it! 

One great trick is lo gather your server list somewliere, and 
to run iIjc same command on each. While this could be a full 
script, here's a one liner lo see who's logged into 3 different 
servers using the w command: 

gervere""luud*rodlotopG.com 192.168*55,9 

public.example,com": for host in $serveni: do ssh user^Shoet 
"w": done 
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Of course, setting this up with password-less keys will really 
make this sc'ripr useful. 

Moving Data 

With an ssh server running, iheR are several options for 
transferring data lo and from that system. Twcj methods are 
distinct binaries that install alongside the ssli app itself'. 

The Fust is scp. The 'secuR copy' application tunnels die 
copy acTcwis an ssh link. Its invocation resembles the standard 
cp c:ommand: 

scp local^file accountSpublic .example*cor];patb/reiaote_Tiame 

This copies IcKalJTle’ to ^account's'* home directory, in Uie 
folder "path'', naming the result "remoie^name'’. To copy ffc^m 
a mmole server, just reverse the source and destination: 

scp account&publlc.ajEatnpie.coai:somt*_fili: */$l 

Tills copies “sonie_rrle’’ from "account's” home directory on 
public.example.com into the current working directory, giving 
it the same name, like cp, you can use tlie "-r” switch to 
recursively copy entire diretiories. 

When installed wilfi the sftp subsystem, an .ssh server also 
offers an fip-ltke interauive interface. Just use 'sfip' in place of 
-ftp’: 

$ ?!ftp 127.0*0,1 
Connecting to ] 27,f),0.1.,. 

PfiRnvord: 
sftp) Is 

Applications Desktop Desktop OB Desktop DF 
Documents 

Library Movies Music Picturen Public Sites 
iQemberd_diiflip.log stop vm log.sh test,jpg toat2,jpg 

sftp) get test2.jpg 

Fetching /Users/marczak/r.eBtl. jpg to testZ.jpg 
/Dsers/iiarczaJt/tefit2*Jpg lOOX IflKB 38* 0KB/s 00:00 

sftp) quit 

Anyone familiar with an ftp shell should lie immediately 
conilbrtable with sftp. 

scp and sftp are fine, fine utilities. However, we're OS X 
people, and we have certain needs. We like our data fork and 
resource Ibrk to get transfera-d. We like our metaclita on the 
complete* side. Neither of which scp and sftp will do. Lefs lake 
advantage of pipes and reilirection. 

If we're local on an OS X l>ox and want to copy data, 
ditto is the preferred metlKKl, Written specifi{:ally for OS X, 
we gel to Iiave our data fork and re.soiirt:e fork, icxi. We can 
extend this by taking diito's output and sending it not to a tlisk- 
based file, but to standard out. Pijie this into ssh, which wiil 
happily read it and spit it out on the remote end. Let's start with 
a simple example: 

cat data.txt | ssb -1 user loud,radiotope-r.Din '(cat > 
data2.trt)* 
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First, we semi datB-txt to sumdard out using oit. This is pipt.‘d 
to ssh^ whicti connects to the remote host loud.radiotoj>e.com, 
whic:h in turn takes the pipeci chtxt, passes it over the encrypted 
connection, and passes it in to ihe subshell on standard in. We 
run commands that take standaRl in and write it to die file 
data2.lxL Let's extend on this: 

ditto -c HyFolder -|ssb loud.radiotope.com ditto x - 
./MyPoider 

The first part, Ix^fore the pipe, is a standard ditto command. The 
“h:” switch tells ditto to create a c:pio arcliive of the data it’s 
receiving. 'Itie trailing hyphen tells ditto lo send its ouipul 
on standard out. Fmm there, the data is piped to ssh, 
connecting to loud.radiotope.com, when: tire data is piped into 
ditto running on the remote computer. Tlie “-x’' switch on the 
remote tells diiio to exficci cpio archive formaiicd data, 
followed by a single hyphen, forc ing data to Ix^ read From 
siandard in. Finally, we tell ditto on the remote what folder to 
pul all of this data into. 

Hie examples in this section are extremely powerful, and 
allow you to move massive amounLs of data in a safe fashion. 
Coml>ine these' with some of the port forwarding lechnicjues 
listed earlier, and you can reach hosts potentially not possiiile 
for you IxTor*. 

Finally, it would lx ftaslisli of me not to mention rsync. 
While I covered ditto first due to its OS X-specific nalum, rsync 
is a much more efficient application all annmd if you need data 
foj-ks only. Ibis turns out to cover llie vast majority of data. Of 
CTiurse, I Ixjng this up as rsync can tninspon over ssh wkliouc 
any fancy shell piping tricks. Just use the '‘-c*’ switch: 

rsync ave ssh ^delete /path/to/data 
u^&r^loud.radlotupe.com:/path/to/destlnatlon/ 

Appropriate for anything not containing a resource fork or Mac- 
specific metadata that you wish to keep intact. 

Other Apps 

Finally, note that many GLU apps that offer a remote 
connection, such as Dreamweaver, TextWnmgler or your 
favorite ftp application will offer to do so over ssh or sfip (s.sh 
protected ftp), protecting your content, id and password. 

You’ll get a stomachache if you 
swallow it like that 

ssh was designed for security - we can now .see that. Like 
anything, though, your implementation tnusi lx well thought 
out. Here are some things Ui waicli out for. 

ssh can't protect you iigainst weak passwords! Tfie few 
times I’ve heard of an OS X machine getting hacked, it was 
because the owner had an account named with a 

password of “test" enabled on the machine. Another popular 
one is “game" and “game". DONT MAKE THIS MISTAKE! 


Choose strong pas.swords, don’t allow passwords at all, or 
restrict the users tliiU can access the machine via ssh. 

Tile password issue also burns pet>ple setting up OS X 
Server. OS X Server enallies rcx>i by default. It also enables sshd 
(“Remote Ixigin"). Where does root's password come frorn? It 
corne.s from die initial admin account that is set up when you 
first install the server. So, if your initial admin pas,swortl is weak, 
and decide to eiiange it later, do not forgci to dm\gc roofs 
password as we//! Past iliat, tliey’re out of sync. 

Also, for you network administrators: ssh shcjuld pretty 
muck make you sick. If you dkln’t get the dry-heaves reading 
tlie section on remote port forwarding, go read it again and 
tliink of the implications, like anylliing, security is a tialance. If 
you nin any netw< irks wliere guests are allowed access, diink 
hard about alUiwing them outlTound ssh. 

Tliere are options in sshd_config that will appeal to the 
seairiiy conscious. Check out the man page and implement 
appropriately. Iti particular, look at the following optioas: 
igoorerhosts, rhostsauthentication, rliostsrsaauthentication, 
rsaauthentication, passwordauthenticalion, 

permitemptypasswords and uselogin. 

I'm sorry, but all questions must 
be submitted in writing 

So, to answer the original t|ueslion: is there anything tliat 
ssli can’t do? Well, it won’t make you julienne fries, however, 
you could certainly ssh into a fry maker and control it remotely! 
I liad hojxd to also cover a slid I that makes ssh control over 
multiple machines a breeze, hut tliis info seemed to lx more 
than enough. Tbe other info will have to wait for a future 
column. In the meantime, get some practice with the 
techniques descrilxd lierc. rni sure you ll come to def>end on 
them in short order! 

Media of the month: Liam Finn’s ddxii album, “I’ll Be 
Lightning". I’m always keeping my ears open for sumediing 
new, unique and fresh, Liam delivers. 11' you’re an il'unes 
jxnson, k’.s currently only available on the Ausrnilian Tunes 
store. CD hits America tins January. 

.Speaking of January, Mat'world will ix upon us again. 
Despite the seeming feeling that were always making plans for 
scmiL^ Mac show...! hope you’re making your f)lans for 
Macworld, and to see you there, 

7ili 
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hdp7 http://www.radiofope.com 



54 October • 2007 


WWW.MACnCH.COM 














Is your computer running up hill? 

Maybe it could use some help. 





Name brand quality. Value pricing. Lifetime guarantee. World class support. 



Toll Free: (800) 895-3493 • Outside US/Canada: 805-494-9797 • Fax: 805-494-9798 

www.betterrann.com 


Run up those hills, 

get better ram. 
















Introduction 


'Ibday, wc will look £it the commiinci-lint! UjoI tar. We will 
Itram how to use this tool lc> create a basic arcliive. We will also 
learn how to use the t(K>( to manage the contents of ilie 
archive. Finally, we will learn how to integniie the tar tool with 
the Xct)de environment. 

Version 10.4,2 of OS X shi[)s with version L14 of the lar 
tool. Later versions of OS X may ship with newer versions of 
that tool. lEd. note: 10.4.10 also contains tar version 1.14,1 

So, start up a Terminal session and leiirn how to work walli 
this flexible tool* 

Tarballs and the Tar Tool 

The lar Ux>l is found in mc«t Unix4xised systems such as 
MacOS X. It is located in the /usr/bin directory of the hxyi 
volume, 'llie original function tlie tool is to a>py a gnjufi of files 
and store the copies into an external tape unit. Now, the tcx>l will 
combine tliose same a>pies into an arcliive file caUed a ttirhull. 

'ITie tarball is a crass-platform archive. It can lx* shared 
across multiple platforms withour any loss of data. A tarh;i[l is 
also safe .since it doe*s not allow any self-executing code. It is 
also easily compressed to reduce its overall size. 

Fkxh the tar tool and the tarball formal arc* o/jen-sot/rcr. Users 
tiin download the project files and develop custom solutions for 
their archive needs. Also, tlie tar tool itself is a free r(X)t. 

Alternatives to tar 

Mac^^S X, however, provides other ways ro aixhivc file-s. 
One way is to use die DMG file, litis file is created using eiilter 
the Disk Utility or the hdiutil uxiL Double-clicking on the 
file causes it to I'x mourned on the desktop. Files are then 
copied or moved to the mounted DMG file. 

IV!t:>.st OS X developers use a DMG files to distribute their 
CcK'oa applications* Some use it to distribute installer packages. 
Users can also use a DMG file to back up data onto optical 


media such as CD-Ks, DMG files, liowever, are supported only 
on MacOS X* 

Another way to archive files is to use eiilier a SfT or a ZM^ 
file. A SIT file is cteated u.sing either DropStuff or Suifflt 
Deluxe. A ZIP file is created using either DropZip or the zip 
command-line kkiL These applications compress lite files 
before atiding them to the archive. To gel the contents of the 
an4iive, a separate tool such as Stuffll Expander is often used* 

Both SIT and ZIP files are cross-platform formais* Also, the 
SIT file preserve.s any resource forks found in the files* It even 
has the extra option of supporting passwords to encrypt iUs 
contents. iBd. note - OS X created zip file.s will also preserve 
resources forks by using the AppleDouble format.l 

But the SIT file is a clexsed fonrial. llie tools needed to 
cmate the file are not Free; they must l>e purchased from a 
reputable vendor. The ZIP file, on the other iiand, is an open 
format. But it lacks some of the features offered by the tar look 


Basic Tar Usage 


Using the tar t(K>l is easy and .straightforward. Most tar 
statements follow tlie same basic syntax shown t>elow. 

tar - - f iit t ta rhall ■ * comuja ud I -' *■?uhcoDUHan d] 

\ 


[path^lo^nyJnitd fpath_to_payioacf]] 


The -file argument is the path of die The ■ 

subcommand argument is the aefion to be taken by tlie too!. 
A tar statement can have more dmn one sulxommand. But in 
mo.st ca.ses, one suix'ommanti i.s enough. 

Tile last atgumem is tlie fxidi to die /j/e pay/oad. Tliere can 
be more drjn one paykjtiid padi for a given tar statement. But 
there are suixommands that do no\ need tliis argument, 'lliese 
.subcoiUEiiands are often u.sed to manage the tarball itself. Wc 
will learn more alx>ut them later in the article. 
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Creating a tarball 

AJvsumc llml wc have two files: foo,txt and bar.log. 
'lb create the tarball, ftxjbartar. use ihe -cTeate subcommand.. 

tar ■■file"foobar,tor create foo.txt bar.lQg 

First, tlic tar ttxrl copies the two file payloads, ft then aHiililnes 
the copies into a single uirixitl (Figure 1). Next, the tool adds 
header data {olive) to eacli arc!lived paylcmi Tilts data 
identifies tht: kx'aiion and size of each payload in tfie art'hive. 



foohar.lar 


Figure 1. Creating a tarball. 


The example will create tile larl>all in the same directory as the 
payloads. To creare the tarball in a separate directory, e.g. 
/Volumes/hownloads, pass the full path to the --file 
argument. 

tar ■-file»“/V^>ltinn^3/I)ownluads/foobar.tar -’<ireate foo.txt 
bar .log 

Also, make sure to specify at Icasi one payload when creating 
the larlxill. Otherwise, the tool returns an errtjr if it tries to 
create an empty larlxill. 

Adding another file 

Now a,ssume that we have another file named nue.xml. 
To add this file to foobar.tar, use the —append 
sulK'ommand. 

tar "'file^foobar-tar --append ntic.ioitl 


The tar tool copies the new^ payload to the end of the tarball 
(Figure 2). It then updates the header information to reflect the 
new addition. 

Retrieving a file 

To retrieve a file, e.g. nue.xml, from foobar.tar, u.se 
the - *extract suN'ommand. 

tar flle=foobar.tar --extract nue.xAl 

The lar rcx>l first .searches the larl)all for ihe sfx.‘cified file. If the 
file exists, the ttM)l exTnicT.s a copy and saves it on the current 
directory^ (Figure 3). Odierwise, i!ie tool returns an eiror 
tntissage. 


•Crj- 


—sxtrAct 


foobar.tar 

Figure 3. Retrieving a file from the tarball. 





too-txt 



nue.xiBi 


Removing a file 

To remove a file, e.g. nue.xml, from the tat1>ail, use the 
--delete subcommand. 

tar - -flle^foobar. Lar - delete nue.xi&X 

Again, ilie tar tcK>l searches the tarball for the sj^edfied file. If 
the file exists, die ttxil removes die file from the tarball (Figure 
4). It also reairns an error message if die file dtxts not exists. 



—append 





nu«.3ml 
foobor.Lar 



Figure 4. Removing a file from the tarball. 


Figure 2. Adding a file to the tarball. 


If the file to be deleted was located in a different directory. 
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make sure lo iise ihe correct for that file. Hor instance, if 
bar.log was originally in /Library/Logs, lypc‘ the tar 
siatement as follows. 

tar 'flle“foabar,tar -’delete /Llbrary/Logs/bar,log 

li!>ting the contents 

To list the cnnlents of foobar.tar, use the --list 
subcommand. 

tar ■ *flle“l;oobar.tar -list 

The tar tool reads the header infornuilion of the tarball, and 
displays it as a simple list (Figure 5). For a more tleiailed list, 
add a - -verbose subcommand to the sStaiement. 
tar • ■ fUe-foabar.tar ”list --vatboisa 

The tar uk>I Llien displays the contents of the rarball, and the 
metadata of eacii archived hie (Figure 6). 



Figure 5. Listing the contents of the tarball. 



iOP.UiiL 

_rv_r__r— JJJI 


loothpr.tAc --1 


Figure 6. Displaying a more detailed list. 


Compressing tlie tarball 

The tar tool stores the files into the tarliall uncompressed. 
But it can use other tools to compress the tarball itself. The 
current version of the ttHil uses t)ne of three compression 
tools: compress^ bzip2, and gzip. To compress the tarball, 
select which compression tool to use when creating the 
tarball Make sure to use the same ukjI when working with the 
compressed tarball. 

For example, to create foobar.tar and compress it 
using the gzip tool, add the --gzip subcommaml 

tar ■-file=focibar. tar.g?. *-crRJit«f *"g2ip foo.tKt 
bar.log 

As usual the tar uh>I combines the files foo.txt and 
bar. log into foobar. tar. Then, it uses gzip to compress 
the entire file (Figure 7). 


tf you want to use the compress ttx>l use the - - compress 
subcommand. For ihe bzip2 tool, use the bzipZ option. 

Make sure to add the correct file extension lo the 
LarlMlFs tllename. 'I'he extension specifies which tool was 
used. For the compress itKt!, use the extension .Z. For the 
bzip2 tool, use .bz2; the gzip tool, use .gz. 

As stated earlier, use the same compression tool when 
managing the tarball. Otherwise, the tar tool will return a 
me.ssage staling iliai the file is not valid. For instance, to list 
the contents of foobar .tar. gz, type the tar statement as 
follows, 

tar --file=foobair.tar.gz -list - gzip 

To add nue.xml lo the tarball, type the following sLatemenU 
tar £ile=foobar. lar .£.2 .' -append 'gzip nue.xml 

Advanced Tar Usage 

The Ur tool also has a number of subcommands to do 
various tasks. .Some suhamimands control how files are 



Figure 7. Compressing with pip. 
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added to the turb'dll. Some amtroi how files are extracted 
frojTi liie Larhall. Others control how the larbail is managed. 

For reasons of length, we will cover only tliose 
suixoniniands iLsefiil for daily tusks. Vou can, however, view 
the rest by typing info tar at the 'lerminal prompt. 

Modifying the archived metadata 

Wlien you add a file to the tarhnll, the tar tool preserves 
ibe metadata assigned to the file, ^^ul you can use the right 
subcommand to override this licliavior. Also, tile subcommand 
affects only ihe arcliived file; it does not affect the original. 

Assume you want to add ilie bar * log file to 
f oobar, tar. To change the permissions of bar. log, use the 
’ -mode subcommand to pass the new settings. 

tar [ile“foohar*t«r --append bar.log ■ 
mod ew_ p e rm i ssi on s 

The tar tool makes a copy of bar . log and sets its permissions 
to new_peraii6'sions. The toc:»l then adds the modified copy 
to the end of foobar. tar. For instance, Figure 8 shQw.s the 
tool changing llie |>eniiissions of bar. log from 444 u> 747. 



foobar,tar 

Figure 8. Changing the fife permissions. 


In tile alxive example, the new pcniiissions are passed as 
(X'tal values. Bui you can also pass a fomiatred string to die - 
mode subcommand. 'Ihis is hantiy when you find it difficult 
lu think in octal terms. For instance, instead of passing the octal 
value 747, pass ihe siring value of uo=rwx, g=r. To learn liow^ 
to write pennissions as formatted .strings, type info chmod at 
the Teriiiinal prompt. 

You can also use the tool to change the uid and gid of 
the arcfiived file. 'Fhe uid (user kO specifies ilie user who 
owns die file. By default, this is either your username or root. 
Ihe gid (group id) specifies tiie group to which the user 
belongs. Tliis is often either admin or wheel. 

Assume again that you are adding bar, log to 
foobar.tar. To change the uid of bar.log, use the -owner 
option. 

tar ■ ■ f ile=f ooba r . ta r - append bar, log - ■ 0VTter=i3ehL.uid 

Tlie tar tool copies bar. log and .sets its uid lo /jew_uid li 
then adds the mcxJLfied copy to the end of foobar.tar. For 
instance, Figure 9 shows the fcxil changing the uid of 
bar.log from John to smith. 
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—append —ovner-sm t/i 


OP"" 

foobar. ta.r 


Figure 9. Changing the file uid. 

Now to change the gld ofbar.log, use the --group 
option. 

tar "file^foobar*tar -append bar,log grQup*new_^lrf 

Again, ihe tar tooi copies bar* log an<l sets ius gld to 
new_gid. As usuiii, it acids the iiiodtfied file to the end of 
foobar, tar. 

You can also change both uid and gid at the same lime, 
ib do so, use the owner and - - group options on tlie same 
siaiemeni. 

tar - £ll*j«foobar.tar -append bar.log --ovner=new uid ^ 
*group=new gid 


Make sure that new_uid or new„gid exists. 
Otherwise, ihe lar tcKil will return an error message 
stating tliai these values are not valid. Use the 
Netinfo Manager tool to check if these values exists 
on your OS X system. 

Selecting files for the tarball 

When you select files for the tarball, you list 
their names or patiis ai the end of the tar statement. 
This becomes unwieldy when selecting large sets of 
files, Naairally, the tar tool supports oUier ways of 
adding files to the tarliall. 

One way is to copy the files into a separate 
directory, 'fhen use the directory itself as the input 
argument. For example, as.sume the files are in the 
directory sample. To CTeate foobar, tar using files from that 
directory, type the tar statement as follows. 

tar -file=foobar,tar -create sanple/* 

Again, this .statement assumes foobar , tar will be in the same 
directory as sample. 

I’he wildcard character ‘ * ’ at the end of sample tells the 
lar tool lo add all the files from tliai directory into 
foobar . tar. You can, however, use the --exclude 
sulxommand to filter out specific files. For example, lo exclude 
all XML files from foobar,tar, type the lar statement as 
follows. 

tar - flle=f(3abar. tar Lteato nflitiple/’ exclude™'’" .xml’’ 
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The Uir tool examines tlie contents of die directory sample. It 
then creates foobar.tar and adds the files from sample, 
except those with an .xml extension (Figure 10). 


“ saripie 



Figure TO. Adding and excluding files from a directory. 


Make sure to enclose the filter pattern in double quotes. 
Avoid using regex patterns as they are not currenlly .supported, 
A second way of adding laige sets of files is to use a text file 
containing a list of those flies, llien pass the text file to die tar tool 
using the - - files ■ from suixrommand. For example, to use the 
file sample.list, type the following smtement at the prompt. 

tar f f le^foobar , tar creaii? files -froitf=5atirpIe. 11 fft 

The iar tool relrieves die list of files from sample. 1 ist. It 
then creates foobar.tar using the files SfXicified !>y die list 


(Figure 11). You on still use the - -exclude stibcommand to 
filter out unwanted files. 
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Selecting files from the tarball 

When selecting files from the taiixill, you list theii' names or 
pallLs at the end of the tar siaiement. The tiiol retrieves the 
Sfx^cified files imd saves tliem on the cunenl directory. If the 
direaory has a tile with the Siime name as the extracted one, the 
ltx>l will replace that file. 
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Of course, you c^n use n partem to .select which files to 
reiricvc. For example, lo retrieve only filc^ widi a .log 

extensions, use die * - log pattern at the end of the tar statement, 
tar flle“ro<3bar.tar ojtiraci 

You cm also control how ihe lar ick>I replaces existing files. 
To replace only those fik^ older dian the ones in the tarirall, use 
the --keep-newer-files sulxommand. 

tar - flle^^ftKjbar. tar --extract --keepfiles 

To Stop die toi>l fmm replacing uny file, use the - - keep-old- 
files .sulx'oininand. 

tar -fila^^foobar.tar --extract --k^ep-t^ld-fiXee 

You can also save die a’trieved files into a different director}^ 
Use the --direaory sulxomniancl to pass the directory path to the 
icx)i. Make sure the directory exists, or the !ot)l will return an emir 
message. 

For exiunple, assume you w'ant to save all retrieved files into 
the direaory output. To use that direaorsr^, type the tar 
statement as follows. 

tar ■-fiie=foobar, tar ■-extract --<iitectary=outpui 

llie tar tool extrads all the files from foobar. tar» and stores 
them into the output directory (Figuir 12). 



Figure 12. Saving files into a separate directory. 


Modifying the retrieved metadata 

Wlicn the tar tool retrieve.s a file from the lartiall it sets die 
uid of die file to that for die curreni user. The tool also sets 
the file's permissions lo those assigned to the user. But the tool 
leaves the mcxlifiauion date of die file tmehanged. 

You can change these behaviors with the right 
sulxrommand. To demonstrate, assume the archived file 
bar. log has a uid of John and a permissions flag of 767. 
Also, assume dial its modification date is 20070501. 

To keep the same uid assigned to the file in the lariiall, 
use the - -same'owner sulxximmand. 

tat --file=foobar.tar --extract bar.log ■■same-owner 

The lar Kxd extracts the file bar, log from foobar. tar, and 
leaves the file's uid unchangeti (Figure 13)- 
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Figure 13, Keeping the same uid. 


To keep the same pcrniisvsitms lor ihe file, ase the 
- - s ame^permissions .sli bet^niiiicincl. 

tar - f ilf^^foobar. tar extrat^t bar. log - same 
permissions 

Again, the tar tool extracts bar,log IVoni foobar,tar, and 
leaves the file's permissioiis unchanged (Figure !4), 



Figure 14. Keeping the same permissions. 


Finally, to change tlie modification date of the cxtracied 

file, iLse the - - touch option. 

tar - flle^focibar, tar - extract bar .log, --touch 

First, the tool extracts bar.log from foobar.tar. It then 
changes the file’s modification date from 2007-05-01 to the 
retrieval date. For instance, if the tool retrieved bar.log on 
2007 May 12, ii sets the mtKlificatkm date U3 tliat date (Figure 
15). 
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Figure 15, Changing the modification date. 


Managing the tarball 

You can use the tar tool to compare the contents of the 
tarball against the files on the drive. You can ase it to merge the 
contents of one tarball into another You can also use the tool 
to change the fbmiat used by tlie tarball 

Assume that the tarball foobar.tar contains the files 
foo.txt and bar. log. To compare the archived files against 
those on the drive, use the - - compare subcommand. 

tar -‘file“fQobar.tar '-compare 
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Tlie tar tool then determines which file has changed in tenns 
of size or mcKlifioiion tbie (Figure 16). It displays its 
comparison results onto die Terminal window. To save the 
results inio a separate file, e.g. cotnpare.log, use the > 
reclireaion command. 

tat --file=foobar.tar -Compare > eojnpare.log 



Figure 16. Comparing the contents of the tarbalL 


Now assume you have a second turhall fubar. tar. 'rhis 
tarball coniain.s iwo files; nue.xml and neu.htin. To merge 
this tartiall with foobar.tar, use the --concatenate 
sulx'ommand, 

tar --file^foohar .tar -’e.fincatanate fuhar.tat 

First, the Lar Uk)I retrieves die eunlents of fubar .tar. ll tlien 
adds ihe retrieved files into foobar.tar. Finally, the tool 
updates the header data of f 00 bar. tar to reflect the new^ 
additions (Figure 17). 



Figure 17. Merging two tarballs. 
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Finally, you nin change the format of the tarball with llie 
--format subcommand This .sulxjommand allows you to 
create tarballs that can be opened by other verstoas of the UkjI. 

Tlie latest version of the tar tool supports five basic formats 
(Table 1). By default, the tool uses the gnu format to create its 
rarbalL Future versions of tlie tool will start using poslx as the 
default formal. To find out the defiiult fonnui of your UK>1 type 
the following siaiemenl at ilie preempt. 

tar help | tail -n b 

Table 1. list of supported tarball formats. 

Format Description 

gnu 

Format used by tar tool versions 1.12 and newer. I las support 
for sparse files and incremental archives, 
oldgnu 

Format used by tar tcKil versioas older than 1J2, 
v7 

Format used by tar v7. It is used by the Aiitomake utility 
when producing makefiles. 

ustar 

Format defined by POSIX. 1 1988 specification. Has support 
for symbolic ownersliip inloniiation and special files, 
posix 

Format defined by FOSlX.l 2(X)1 s^x^cification. Designed a.s 
the most flexible anti feature-rich of all five fomials. 

Assume you want to create foobar^tar using tlie files 
foo.txt and bar*log. To create the tarball using a pc^ix 

format, lyjx^ the tar statement as follows. 

tsr --fi1«j*foohar.inr rorEdt^oslx - create foo.txt 
bar.log 

To add the file nuG.xml to foobar .tar, lypt* the staiement 
as follows. 

tar --file^foobar.tar --format^posix append aue-xml 

Rememlxt once you have selected a ladvall format, make 
sure lo use the same format for all other tar tasks. 

Tar and XCode 

So far, we learnetl how to use the tar tool fioni the 
comtnand-linc. Now, we will learn how to use the tool from 
Xcode. Access to the tool can be done in one of two ways. The 
first way is with a run .ver/pr phase, the second is witli a menu 
script. 

Feel free to modify the.se scTipls lo suit your needs. 

Using the run script phase 

Listing 1 show.s one ex^miple of using the tar tcx)l through 
die Xcode run script phase. First, the saipt makes a list of files 
in the pnijccl directory. Tlien it prepare,s the tad>all's filename 
from the script variable PROJECT_NAHE. To ensure portability', 
die seripi strips out all spaces from the prepared name. 

Next, the .script checks if a uirball already exists with die 
same name. If one dt>es exist, the script deletes lhal tarbalL 
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Tlicn ihc script parses its list of files, anti checks if each one 
exists. If the rile exists, the stripi adds the rile to the tarball. 
Also, the script skips over the build directory to avoid adding 
Uk* tariwll to itself. 

Listing 1. The Xcode run script phase. 

# Retrieve a list of files in the current directory 

TAR_LST-'ls ' 

# Prepare the path to the tarball 

TARJ)0i1=S i PROJECT_NAMEy / /1 
TAR_NO«="S (TAIL.NOBI. tar" 

TARJ40K=" iTARGET_Bt)n.D_DIR/ STAR HOM" 

# Does the old tarball exists? 
if [ -e STAR_HOM ] 

then 

# delete the old tarball 

rro r| $TAR_NQM 
fi 

# Parse through the list of files 

fot TAR_ITH irj STAR_LST 
do 

# does the file exists? 

if t -e ] 

I hen 

# is the file really the build directory? 

if [ $TAR„ITM 1= "build" 1 

then 

it does the tarball exists? 

if t -e STAR_NOH ] 

then 

# update the tarball 

lar -file-$TAR NOH --append $TAR_ITK 

else 

# create a new tarball 

tar ■ file“rrAH„NOM create $TAR_rTM 
fi 
fi 
fi 
done 

Using the menu script 

Listing 2 shows how ro use an Xctxle menu script to access 
the tar kx± 'fhe script uses llie same ctxle as the run script 
phase. But it improves over tlie latter by providing user 
interaction. 

First, the script cremates a deluuli name for the tarball with 
the date ttxjl. It passes the format string +%y%m%d%H%M to the 
tool to format the tcxiFs output. 7'he tool rt^tiims the results as 
a string. 

Next, the seri[ii prompts the user foi' a location where it 
will store the tarball It also prompts for a name for the lariiall, 
offering the default name as a possible value. Tlie user enters 
the information on die dialog and clicks on the DK button. 

Hie script then checks if a larixill exists with lite same 
name at the chosen location. If one does exist, tlie script 
deletes the tarball. Next, die senpi gets a list of files in the 
pnijecl directory. It parses the list, and adds c^ach named file to 
the tarball. Itie script also skip.s over the build directory as a 
preventive measure. 

Listing 2. The Xcode menu script. 

#! /bin/bash 
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# 

# — PB User Script Info “ 

# %%%|PBXName= Archive the Project1%%% 

# %%%(PBXInput=Nonct%%% 

# %%%{PBXOutput-ScparateWindow) %%% 

# %%%lPBXKeyEquiva]ent=}%%% 

# %%%{PBXArgumenl^l%%% 

# %%%|PBXlncreTnentalDisplay^YES}%%% 

# 

# initialize the following shell variable 
TAR_MS£J^'*Siive the tarbali as*" 

# prepare a default archive name 

TAR..DEF='date 
TAR„I>£F-**$1TAK_DEF|. tar** 

# select a backup filename 

TAR„PTH=‘ ItlH t PBXUt i H ryScri ptaFatb I U%/AskUserForMewFileDial 

og 

"STAR HSG* *STAR_J3EF^' 

# does the tarball already exists? 
if [ E $tar_pth 1 

then 

# delete the old tarball 

tm -rf $TAH PTB 
fi 

# retrieve a list of project files and subdirectories 
TAR_LST=Us' 

# Parse through the list of files 

for TAR_i'ri1 in $TAR_LST 
do 

# does the file exists? 
if I -e Star ] 
then 

# is the file really the build directory? 

ir [ $TAR_ITM "build" 1 

then 

# does tlie tarball exisis? 

If [ e $TAR_PTH ] 

then 

U update the tarball 

tar *-file=STAR_m --append $TAR_m 

elae 

# create a new tarball 

tar --file"$TAR„PTH create $TAR_ITM 
fi 
fi 
fi 

done 

echo "Finished creating the archive at; $TAK_PTH" 

Concluding Remarks 

The tar loo] makes it easy to combine mitliiple files into a 
single lari jail. The tarball format is supported by difrerent 
platforms, and is lx)th simple and open. Varioiis tools can also 
compress the tarball to reduce its size. 

In nitrst cases, you will need a Temiinai session to use the 
tar tool, [5Ui you can also use the tcK>l in your Xcode sessions. 
All you need to do ts to write a run script phase or a menu 
script to store your project files into a tarbaU. 

The tar tool is reliable, full-featured, and /ree. Perliaps that 
is why it is a popular tool amongst open-source developers. 
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MACTECH SPOTLIGHT 


Wliat do you do? 

Dejal i-s a small ISV, .so 1 do pretty much everytliing, mcluding 
CtKxra development, aistomer support, accounting, PHl^ wei> 
development, graphic design, etc. 1 do have a develofx.T iliitt licl]3s 
with r)ej:il Simon plugins etc, imd Fve used graphic designt^rs tor 
some app icons and tfie new Dejal logo. In addition to my own 
products, I do conlnicting wtirk part-time. 

How long Iiave you been doing what you do? 

1 learned LiASiC in 1*)82 as my first programming langiutge, 
and knew ihuit’s what I wanted to do witti Jiiy life* In 1988 ] 
switched to Pascal on Mac PkLses at tlie Univeniity of Auckland in 
New Zealand, atid started playing around with apps. hut didn't .sett 
anyiliing until 1 created [>ejal toriginally callal Dejal U.serwaie, for 
user-friendly software) in 1991. Back then it Wiis jus1 a holihy, 
selling utilities for System 5 tlirough Mac OS 9 (they re still available 
as freeware: <http://www.cie|al.com/cbKic/>). There wasn’t a 
web Ixick then, thtnigh; I disirihLited my .software via Q)mpuserve, 
AOT, floppy disks, and Liter CDs, and provided licenses via aimiail 
(fmm New Zealand), hand-wrinen on phot(xx>pietl cenificaies. 

When my wife and I mewed to tlie US in 2tK)l, 1 learned 
Coexxt, developed my first Mae OS X ap[>s. arid legisiered my 
crunpany as Dejal Systems, LLC in 2002. 

Your first computer: 

1 gtx my first computer in 1983: a Sinclair /X81, with 3-25 Mti/* 
Z80 processor, IK of KAM. a cussetie ta[x' drive, liny meiiihrane 
keybtxird, and hrxrked to a B&W TV. I fust used a Mac at schcx>l: 
an original 128K Mac in b)84... but I didn’t imn one until I got a 
Mac Plus in im. 


with Olliers in tlie snipix:t-keeper market, as I didn't really like the 
approach existing ones took, Macfiliiili was cieaied in piutnersliip 
witli i\n iiffiliate marketer to ser\'e that cxHu^nunity^ BlogAssist was 
written spetillcilly for iny wife, who was really into livejournal 
blogging at die time. All of the ptoducts have grown and evolved 
over tile years hised on aistomer feedlrat k ” it's really important 
to listen lo whai pcxjpie s;iy alxjuL pitxlucts and incorporate their 
ideas into tlie design, as makes sease. I keep track of all 
suggestions, and tally votes for them to delcmiine tlie most 
i-equesied enhancements, to wfiich I give jiriority W'hen deciding 
on features for an update. 

Whaf s the ccwilcst tech thing yoiiVe done using OS X? 

One thing I'm tjuile pletised wltli is the Script plugin in Dejal 
Simon, Simon is a sciver monitoring uxil that ustis a plugin model 
for services, notiiiers, and a*poris. ilie Script plugin allows junning 
A[iple.Sciiprs, .shell .scripts, Perf Python, Ruby, or exher scripLs to 
p<.*rlbmi checks and ncxilicaltoas for focil or romoie serv^ers and 
pnxesses* I like it as it leverages Mac' OS Xs unbe undeqxnning^ 
to signtfiamtly enhance the reach of the product. That wrould’v^e 
lyxn much harder under Mac OS 9 or Windows. 

Ever? 

1 wrote an integrated eiiviK>nniet'ii for an old SpectraVideo 
MSX computer (loaded off 5*25'’ floppies) around 1986, complete 
witli a basic wrord proc:essor, spradsheci, and more* It w’as nev^er 
released, thoiigh. 

Where can we see a sample of your Tvork? 


Are you Mac-only, or a multi-platform person? 

Definitely Mac-only. 1 have a Windows lx)x I got a few yeais 
ago for a project, but it just gaOiers dust. 

Do tlie producte you develop M^ratch a personal itdi, or 

are they for others? 

A bit of lx)lli* Obvkiusly I need to keep marketability in mind 
when working on prodiias. Most started out as fulfilling a need 1 
didn’t see being adequately serviced with existing pnxlucts in the 
marketplace, Narraurr .started as a fun way to leaxn Cotroa, Simtrn 
Ireg^in as a way for me to watch for website updates, and became 
more sophLstk:ated as it became popular. I cTualed Time Out to 
improve my health, since I can suffer from eyestrain when staring 
at a computer for hours on end. Caboodle was wnitten to a)mpeie 


- Try my products: free trials are available at 

< bttp://www.de ja I, com/>. 

- Stxr my ccxJc: o|X‘!i souice Cocoa at 
<http://www.de jal. cOFn/devekjper/>. 

- Reiid my thoughts: sulisc'riiie to my blog at 
<hftp://www,dej<i!-com/bbg/>. 

The next w^y Fm gtung to Impact U/OS X/the Mac 
universe Ls: 

Tm excited alxxit tlie upgrades of the Dejal apps for leopard. 
Simon 3 and Time Out 2 will be major upgrades, witli much- 
improved Ul and features. 
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